October is always an exciting time for us as we celebrate Cybersecurity Awareness Month and some of NIST’s greatest accomplishments, resources, guidance, and latest news in the cybersecurity space. This year is a big one because 2023 marks the 20th anniversary of this important initiative —and we will celebrate in various ways every day throughout the month.
What is NIST Up to in October?
To kick-off our 2023 blog series, we sat down to interview NIST’s David Temoshok—and he walked us through his insights and ideas relative to enabling multi-factor authentication, along with sharing a bit about what he’s up to these days at NIST.
Multi-factor authentication uses a combination of something you know, such as a password, in combination with something you have, such as an authentication application on your phone, or something you are, such as fingerprint or facial recognition, to prove you are who you say you are online. So even if your password is stolen and compromised, attackers will not be able to gain access to your accounts because they cannot provide the second authentication factor to login.
I lead the work on NIST Special Publication 800-63-3 Digital Identity Guidelines. The guidelines provide foundational processes and technical guidance for the management of digital identities by federal agencies. The Guidelines also explain how public access to federal online services, systems, and transactions need to be managed by federal agencies in secure, usable, and privacy-protecting ways.
The Guidelines are actually published in four volumes: the first one introduces the processes and terms that are used throughout the following Volumes and applies risk management principles to digital identity management; the second, Volume A, addresses identity proofing and enrolling the public as digital identities into federal online services; the third, Volume B, addresses authenticating the digital identity of individuals that have been enrolled and return to online services; and the fourth, Volume C, addresses how to share enrollment digital identity information across federal agencies to facilitate and simplify access to federal online services. Volume B, Authenticator and Lifecycle Management, explains authentication and multi-factor authentication processes (and how those processes are used for access to all federal government online services).
All accounts that are established to access government online services require multi-factor authentication as a critical security control and privacy protection. We work closely with federal agencies and industry to explain why multi-factor authentication is critical for protection against cyber-attacks and account takeover (and how it can be used most effectively to meet the very broad and diverse needs of the government and the public that we serve).
NIST’s Digital Identity Guidelines present three levels of authentication assurance for access to the government’s online services: low, moderate, and high. Low assurance is defined as single factor authentication—which uses a single authentication factor, typically a user ID and password, to login to the user’s online account. However, this is extremely vulnerable to attack since cyber criminals can use various methods to guess, steal, and compromise passwords and take over personal accounts. Multi-factor authentication is necessary for moderate and high assurance protection against account login attacks.
Multi-factor authentication has proven to be extremely effective to protect against modern automated cyberattacks. It takes more than a password to secure your accounts online. The key thing to do today to enhance your online security is to enable multi-factor authentication.
The current version of the Digital Identity Guidelines, which is version 3, was published in June of 2017. Much has changed since then and we are in the process of updating the Digital Identity Guidelines to address technological changes, protections for new types of cyber-attacks, and new forms of authentication.
We published a Draft Revision 4 for the Digital Identity Guidelines last December and held a four-month public comment period…and we have been holding public workshops to discuss comments and updates that we plan to make for the final Revision 4 publication. One of the changes in Volume B was to add a new section on phishing-resistant multi-factor authentication. While all multi-factor authentication is much more secure than user ID and password alone, some forms of multi-factor authentication are still vulnerable to phishing attacks (phishing attacks are a form of social engineering—where cybercriminals use email or malicious websites that mimic a trusted login portal to entice users to enter their login credentials—enabling the attackers to take over the user’s account).
The new Volume provides technical guidance for phishing-resistant multifactor authentication using cryptographic authentication processes, such as Fast Identity Online (FIDO) commercially available authenticators and the government’s Personal Identity Verification (PIV) cryptographic authentication processes.
I have always been impressed by the sense of collegiality and professionalism at NIST. While individual analysis is always necessary, collegial discussions and decision-making as a team represent the foundation for the work at NIST. This is always handled in a courteous and professional manner so that all positions and input from the NIST team are considered and valued.