Add link to NIST SP 800-63B 2nd public draft to 3.3.8 / 3.3.9 understanding (#4351)

patrickhlauke · mbgower · web-flow · commit 9023dbdcfb3e · 2025-05-20T08:30:29.000-07:00
Incorporate outside references about allowing pasting into password
fields.

This change offsets stances about preventing pasting passwords. Even
NIST plans to recommend allowing it:

&gt; 3.1.1.2 Password verifiers
&gt; 
&gt; [...]
&gt; 
&gt; Verifiers SHALL allow the use of password managers. **Verifiers SHOULD
permit claimants to use the “paste” functionality when entering a
password to facilitate their use**. Password managers have been shown to
increase the likelihood that users will choose stronger passwords,
particularly if the password managers include password generators


&gt; 8.2.1 Passwords
&gt; 
&gt; [...]
&gt; 
&gt; Usability considerations for typical usage without a password manager
include:
&gt; 
&gt; [...]
&gt; * User experience during entry of the password
&gt; * **Support copy and paste functionality in fields for entering
passwords, including passphrases.**


&gt; 8.2.3 Out-of-band
&gt; 
&gt; [...]
&gt; 
&gt; Usability considerations for typical usage include:
&gt; 
&gt; [...]
&gt; 
&gt; **Consider offering features that do not require text entry on mobile
devices (e.g., a copy-paste feature)**, which are particularly helpful
when the primary and secondary channels are on the same device. For
example, it is difficult for users to transfer the authentication secret
manually using a smartphone because they must switch back and forth —
potentially multiple times — between the out-of-band application and the
primary channel.

Co-authored-by: Mike Gower &lt;mikegower@gmail.com&gt;
diff --git a/understanding/22/accessible-authentication-enhanced.html b/understanding/22/accessible-authentication-enhanced.html
@@ -108,6 +108,7 @@ <h2>Resources</h2>
             <li><a href="https://webauthn.io/">WebAuthN Demo site</a>.</li>
             <li><a href="https://en.wikipedia.org/wiki/OAuth">OAuth on Wikipedia</a>.</li>
             <li><a href="https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords">"Let them paste passwords", from the UK's National Cyber Security Centre</a></li>
+            <li><a href="https://pages.nist.gov/800-63-4/sp800-63b.html">NIST SP 800-63 Digital Identity Guidelines (Second Public Draft of Revision 4) / SP 800-63B Authentication &amp; Authenticator Management</a></li>
         </ul>
 
     </section>
diff --git a/understanding/22/accessible-authentication-minimum.html b/understanding/22/accessible-authentication-minimum.html
@@ -174,6 +174,7 @@ <h2>Resources</h2>
             <li><a href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API">Web Authentication API on MDN</a></li>
             <li><a href="https://en.wikipedia.org/wiki/OAuth">OAuth on Wikipedia</a></li>
             <li><a href="https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords">"Let them paste passwords", from the UK's National Cyber Security Centre</a></li>
+            <li><a href="https://pages.nist.gov/800-63-4/sp800-63b.html">NIST SP 800-63 Digital Identity Guidelines (Second Public Draft of Revision 4) / SP 800-63B Authentication &amp; Authenticator Management</a></li>
         </ul>
     </section>
 

-Original file line number
+Diff line change
             <li><a href="https://webauthn.io/">WebAuthN Demo sitea>.li>
             <li><a href="https://en.wikipedia.org/wiki/OAuth">OAuth on Wikipediaa>.li>
             <li><a href="https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords">"Let them paste passwords", from the UK's National Cyber Security Centrea>li>
 +            <li><a href="https://pages.nist.gov/800-63-4/sp800-63b.html">NIST SP 800-63 Digital Identity Guidelines (Second Public Draft of Revision 4) / SP 800-63B Authentication & Authenticator Managementa>li>
         ul>
     section>