I'm unable to find NIST standards relevant to the following scenario:
A user of our app can register new users for their team. This user provides the email and personal information of the new user, and the app will send an email to the new user with a URL to create a password, which the new user can't login without. The URL contains a token to ensure that the password can only be created once and for the appropriate user. We use Django to manage users, and the token is being created and checked with
django.contrib.auth.tokens.PasswordResetTokenGenerator.
If the token is valid, the user can create a password and login.
Are there any NIST standards that have something to say about a situation like this? I'm not an expert at searching through standards databases so I haven't had luck.
I found them in NIST Special Publication 800-63-3:
It describes the different Identity, Authentication, and Federation Assurance levels and how to select these levels based on different risk management needs.