In celebration of Cybersecurity Awareness Month, NIST will be publishing a dedicated blog series throughout October; we will be sharing blogs each week that will match up to four key behaviors identified by the National Cybersecurity Alliance (NCA). Today’s interview-style blog features two NIST experts —Bill Newhouse and Ryan Galluzzo—discussing different reasons to enable multi-factor authentication (a mechanism to verify an individual’s identity by requiring them to provide more information than just a username and password).
Here are the questions they both were asked, along with their responses:
Bill: Since 2015, I have been a cybersecurity engineer at NIST’s National Cybersecurity Center of Excellence (NCCoE)—where I have brought together experts from industry, government, and academia to address the real-world needs of securing complex IT systems and protecting the nation’s critical infrastructure. The projects I have worked on include a focus on digital authentication as part of the cybersecurity reference design created. Two of my projects, Derived Personal-Identify (PIV) Credentials and Multifactor Authentication for E-Commerce demonstrate uses of multi-factor authentication (MFA).
Ryan: NIST’s identity program focuses on foundational and applied research, standards development, measurement, and implementation guidance to support responsible innovation in identity technology. This includes exploring new, more effective, and more accessible ways to provide MFA to individuals. We achieve this through the development of guidance such as our Digital Identity Guidelines (NIST Special Publication 800-63) and research into emerging technologies such as Mobile Driver’s Licenses and decentralized identity. We also conduct technology integration projects with partners at the NCCoE – such as the Multi-Factor Authentication for E-Commerce project.
Bill: Be intentional—Unless you turn off your computers, tablets, fitness trackers, and mobile phones, you are online. So, if you are always online, increase your online safety by using devices and applications that are supported by automatic security updates. From this foundation, staying safe online also means being as intentional as possible. One way I am intentional is that I enable multi-factor authentication (sometimes called 2-step verification) for all online accounts that hold sensitive or precious-to-me data. If I don’t want to lose control of my account, I visit the security section of my customer profile and turn on MFA which allows me to leverage “authentication apps” that provide randomly generated one-time codes or push notifications, a hardware authentication device that supports public-key cryptography, or I use my mobile device's built-in biometrics.
If I seek to enable MFA to support online access and the provider does not offer it, I will not continue to be a customer.
Being intentional also means that I try to control the sites I visit. I likely spend more time than most looking at the web addresses when on my browser as I surf the web. If I get an email indicating something about an online account that offers me a link to take an action on that account, I don’t immediately click the link. I don’t want to become a victim of a phishing attack, so I tend to access my online account’s customer portal without having clicked on a link. I like being in control by taking that extra step to open a new browser tab and type in the URL for my customer or user access to that online service.
Ryan: Adding multi-factor authentication to all your sensitive accounts. Many service providers have made this easier than consumers may realize. Proliferation of smart mobile devices have given individuals many more options than had previously been available. From “authentication apps” that provide randomly generated one-time codes or push notifications, to native biometrics on our devices, there are more options for securing our digital selves than ever. The increasing ubiquity of federation has also helped, allowing users to sign in with common providers, where MFA is sometimes incorporated by default. Many of us are probably using MFA every day – particularly with our mobile devices – and simply don’t even realize it.
You may not need MFA for everything – but if your personal information, financial information, or health care data is involved you should make sure to check your providers account settings to see if you can turn it on. I would also consider moving away from using text-based MFA for these services in favor of an authenticator app. These typically offer several different methods to authenticate with different websites and can typically be set up quickly and easily by scanning a QR code. If you are feeling particularly paranoid – or nerdy – hardware tokens and authenticators that use cryptographic authentication (like FIDO tokens) can further increase your digital security by improving resistance to phishing attempts.
Bill: From a very practical point of view, #BeCyberSmart means I can search Twitter to find posts that touch on different aspects of staying safe online using the hashtag #BeCyberSmart. Good advice should not be hard to find. DHS created the #BeCyberSmart campaign to help you find good advice for staying safe online.
Ryan: Vigilance. Just like safety in the real world, security in the digital world revolves around being aware of the threats you face and keeping an eye out for those things that “just don’t look right.” Even if you are using MFA there are still risks – particularly when using text and one-time codes. Just as you would never input your password on a website that looked sketchy, don’t provide MFA codes to sites you don’t trust or may not look legitimate.
Bill: My work at our applied cybersecurity center, the NCCoE, involves interacting with lots of collaborators from other government agencies, in the private and academic sectors, as well as other nations as we work to identify the cybersecurity challenges that become our projects (to build our reference designs and to communicate what we’ve done together). This work focuses on helping organizations mitigate cybersecurity risk. It is a privilege to work at NIST for 6/25’s of the #NISTCyber50th anniversary years—and to know NIST and its open, transparent, and consensus-based processes have supported my entire federal career that has occurred over 74% of #NISTCyber50th.
Ryan: I am relatively new to NIST, but what I can say is that the mission of improving our national cybersecurity and the collaborative atmosphere were the two driving factors for joining the organization. NIST’s mission depends on engagement, collaboration, and transparency with a broad range of stakeholders – from the individual member of the public to Chief Information Security Officers for major agencies – we get to engage with all of them and learn what matters to each of them. It’s a fascinating and enjoyable atmosphere to work in.
Also, the wildlife at the Gaithersburg campus. There are deer everywhere!