Question: ASP.NET Core Identity - NIST 800-63B-4 compliance

[lveitch]

Hey everyone, I was trying to get an answer regarding the implementation of Identity and if it happens to comply with NIST 800-63B-4 guidelines around Digital Identity Authentication and Authenticator Management. I know that things are stored in SQL but didnt know if things are stored in separate tables, what algorithm is used by default, is that modifiable, where are keys stored, etc.

Just looking for some guidance on how Identity is setup from a security perspective.

[nextfaisal]

If we talk about Storage, ASP.NET Core Identity uses Entityfrmework core to store all the things in SQL Server/EF-Core supported RDBMS,

asp.net Core identity uses PBKDF2 default hashing password, Specifically: HMAC‑SHA256 + 10,000 iterations + 128‑bit salt.

Key Storage(Identity itself does not manage encryption keys directly for password hashes )For authentication tokens (e.g., cookies, JWTs, reset tokens), keys are managed.

Compliance w/ NIST SP 800‑63B‑4

The default configuration is not fully aligned with 800‑63B out‑of‑the‑box, because:
✅ Passwords are hashed with PBKDF2, which is allowed.
❌ Minimum password complexity requirements are weak.
❌ No checking against breached password lists (NIST recommends).
❌ No enforced password expiry and lockout policy by default.

But you can adjust these in IdentityOptions, through Program or Startup files.