NIST on Cloning of Authentication Keys

Look for Appendix <i>B. Syncable Authenticators</i>: <a href="https:&#x2F;&#x2F;pages.nist.gov&#x2F;800-63-4&#x2F;sp800-63b.html#appB" rel="nofollow">https:&#x2F;&#x2F;pages.nist.gov&#x2F;800-63-4&#x2F;sp800-63b.html#appB</a><p>Interesting they feel comfortable using WebAuthn for Authenticator Assurance Level 2. It does seem like the right middle-ground for an exportable private key.<p>They referenced WebAuthn quite a bit in Appendix B. I&#x27;m surprised the FIDO Alliance&#x27;s Credential Exchange Format&#x2F;Protocol was not mentioned: <a href="https:&#x2F;&#x2F;fidoalliance.org&#x2F;specifications-credential-exchange-specifications&#x2F;" rel="nofollow">https:&#x2F;&#x2F;fidoalliance.org&#x2F;specifications-credential-exchange-...</a><p>I haven&#x27;t taken a deep dive on it, but I wonder if those FIDO Alliance specifications would meet&#x2F;support NIST&#x27;s AAL2 criteria for WebAuthn.

This isn&#x27;t the title (<i>NIST Special Publication 800-63B</i>.. yeah NIST docs aren&#x27;t very accessibly named), nor the intent of this document.<p>&gt; This document provides requirements to credential service providers (CSPs) for remote user authentication at each of three Authentication Assurance Levels (AALs).