Verify NIST 800-63B-4 AAL2 compliance for passkey and MFA authenticator implementations

Verified steps

1. Read SP 800-63B-4 Section 4.2 (AAL2 requirements): required authenticator types include phishing-resistant single-factor hardware cryptographic devices, or multi-factor combinations such as memorized secret plus OTP authenticator.
2. Confirm passkey implementation: syncable passkeys (FIDO2/WebAuthn credentials stored in a cloud keychain) are explicitly permitted at AAL2 in 800-63B-4; device-bound passkeys are also permitted; verify your WebAuthn relying party implementation uses the correct rpId and enforces user verification (UV=required).
3. For TOTP authenticators combined with passwords: confirm the OTP seed is stored securely, codes are time-limited (TOTP uses 30-second windows), and replay protection is implemented to reject reused valid codes.
4. Implement reauthentication at the intervals required by 800-63B-4: subscribers must be reauthenticated at least once per 12 hours during an extended session, and immediately when a risk-based trigger is detected.
5. Test resistance to phishing: phishing-resistant authenticators (hardware security keys, passkeys) must bind the authentication to the origin; confirm your WebAuthn implementation does not accept cross-origin credentials.
6. Document the authenticator type, AAL achieved, and any compensating controls in the Digital Identity Acceptance Statement or equivalent artifact for the system authorization package.