Multi-Factor Authentication and NIST Password Guidelines

Compromised passwords account for 81% of hacking-related breaches. A critical part of overall information security both online and offline is securing your user’s passwords.

Many of the conventional password security practices currently in use seem intuitive. Unfortunately, many of them are either outdated, misleading, or counterproductive. With malicious online actors continually improving their hacking methods, there is a need to use better security to safeguard your information.

Hence, many people and organizations rely more on multifactor authentication to protect their accounts and devices. NIST also includes multifactor authentication in their password guidelines – NIST special Publication 800-63B.

Let’s look at multifactor authentication best practices as related to NIST.

What is Multifactor Authentication?

Multifactor authentication (MFA), sometimes called two-factor authentication (2FA), refers to a security enhancement that allows users to use at least two pieces of evidence (credentials) when logging into accounts. These credentials fall into one of three authentication method categories, namely:

  • Something you know (a PIN or password)
  • Something you have (a smart card)
  • Something you are  (voice biometrics, face recognition or fingerprint)

To enhance your account or device security, you need credentials from at least two different categories. For instance, when using MFA to log into your accounts, here’s an example of how things may go. You will start by entering your username and password. Then you will be prompted to provide your voice or face for a biometric authentication. Then you will be able to log into your account.

In many cases, the MFA process is a lot easier because of the “remembering this device” option. Therefore, if you log into your account using the same device, the site will remember your device and use it as the second factor. More often companies are looking to replace passwords entirely with more secure, less intrusive “something you have” and “something you are” factors.

Between device recognition and analytics that the bank likely performs for security – such as whether you log into the same account 30 minutes later from across the world – your account remains secure. In such cases, the only people doing all the extra work will be those trying to break into the account.

What is NIST?

NIST refers to a non-regulatory U.S. federal agency under the Department of Commerce. The NIST cybersecurity framework strengthens the security of criticalNIST password guidelines infrastructure in the U.S.

Since its release in 2014 and update in 2018, NIST CSF has become a vital risk management resource for public agencies, private sector enterprises, and non-governmental public entities like universities and research organizations.

NIST cybersecurity guidelines such as CSF compliance is the easiest way to comply with other security frameworks like the Sarbanes-Oxley Act (SOX) or PCI DSS. Business enterprises and organizations opt to use NIST CSF and Other NIST IT security framework publications such as NIST 800-53 and NIST 800-171 to assure themselves and their clients that their networks, data, and systems are safe.

How MFA Relates to NIST Password Guidelines

The recently updated NIST Special Publication 800-63B password guidelines include multifactor authentication.

The NIST password guidelines were initially published in 2017 and updated in March 2020. Today, many password-cracking experts consider the guidelines the most influential standard for password creation, protection, and use policies.

Although the U.S. government requires the NIST password guidelines for its federal agencies, the private sector has also accepted and implemented them because they are vetted, well-researched, and widely applicable. What’s more, many corporate security teams use the NIST password guidelines to build their credibility in the industry and implement multifactor authentication best practices.

The NIST guidelines require the use of MFA to secure any personal information available online. They are specific on what qualifies as valid authentication and what doesn’t.

For example, the 2020 update has included emails in its list of channels that it does not accept for MFA because it is not an out-of-band (OOB) authenticator. The list also consists of the voice-over-internet protocol (VoIP). These two are not “separate channels” because they fail to prove possession of a second device.

Therefore, even if you use multifactor authentication, you need to review the updated NIST guidelines to ensure your channels meet the standards.

Why Use Multifactor Authentication?

MFA adds a security layer to your account, making it harder for malicious actors to access it as if they were you. It makes your information safer because hackers and thieves need access to your password and code-generator device (like your phone).

Hence, it’s essential to report your device as stolen before the thief uses it to log into your accounts. Also, always lock your phone to render it even less useful to someone intending to use your MFA credentials.

Use MFA whenever possible, primarily to protect sensitive data such as your primary email, health records, or financial information.

Over to You

The NIST password guidelines seem to consider the strained relationship between cybersecurity and user experience. Hence, they clearly state that strong password security is possible with a streamlined user experience. Users always bend towards what makes their lives easier, sometimes at the detriment of their password security.

ID R&D, a leading biometric technology company, delivers new generation “zero-effort” authentication to clients. We use the science of biometrics and AI advances to prevent users from sacrificing security to gain convenience. Learn more about making biometrics part of your multi-factor authentication strategy.

Author Bio: Reciprocity Inc develops cutting-edge consumerized enterprise software, most recently for the Governance, Risk, and Compliance (GRC) market. Reciprocity’s ZenGRC platform simplifies the way organizations manage information security risk and compliance, and encourages transparency and trusted relationships with key stakeholders.