The case for multi-factor authentication in NIST’s cyber framework

A try of YubiKeys, a popular form of multi-factor authentication. (Yubico)


Written by

This story first appeared on CyberScoop.

The U.S. government should specify some form of online identity security that goes beyond a username and password in the forthcoming update to its voluntary cybersecurity framework, advocates urged at an industry conference Tuesday.

“Right now, you have a situation where Teen Vogue is recommending [two-factor identity authentication, or] 2FA and the [National Institute for Standards and Technology] Cybersecurity Framework isn’t,” pointed out Jeremy Grant, who headed up NIST’s effort to kick-start a market for identity security from 2011 to 2015.

“Shouldn’t we take a look at that?” he asked the audience at the International Biometric Identity Association’s Connect:ID conference.

NIST is preparing an update to its highly regarded Cybersecurity Framework and is analyzing public comments on its initial draft ahead of a public workshop later this month.

The article in cyber-savvy Teen Vogue was something of a high-water mark for popular awareness of 2FA, also called multi-factor authentication, or MFA. It got the issue — adding to the password/username combination a second “factor” like a keystick or a biometric — the kind of attention from the hard-to-reach post-millennial demographic that federal awareness campaigns like Lock Down Your Login or private sector initiatives like World Password Daycan only dream of.

Grant, now managing director at the Chertoff Group, is part of a vocal coalition urging his old agency to include a specific reference to multi-factor identity authentication in the updated framework. “The Verizon Data Breach Investigations Report says that 63 percent of data breaches start with a stolen [or cracked] password,” he noted, “This can’t go on.”

Brett McDowell, executive director of the FIDO Alliance, a nonprofit that promotes interoperable standards for strong, cryptographically based identity authentication technologies, penned an op-ed for CyberScoop this week urging the inclusion of MFA in the updated framework.

The alliance has filed formal public comments on the framework update, urging the inclusion of a specific reference to MFA in the section of the framework “core” that will in the update be called Identity Management, Authentication and Access Control.

The comments point out that despite the section (referred to as a “category”) being renamed like that, “The word ‘authentication’ does not appear in any of the six … subcategories. The new framework core is thus both confusing and functionally incomplete. If authentication is intended to be part of the … core, it needs to be described in a subcategory for the sake of clarity and completeness.”

MFA wasn’t ready for prime time when the framework was first issued in 2014, its supporters acknowledge. But they argue it is now.

“Three years ago, NIST decided the standards weren’t mature, the costs were too high, and there were usability issues,” Grant told CyberScoop after his presentation. NIST officials laid out their concerns about MFA in a document called the Cybersecurity Roadmap, published alongside the framework in February 2014.

“Since then, the market has responded,” Grant added. “You have interoperable standards for strong, cryptographically based identity authentication technologies, you have mass market penetration of identity technologies [like fingerprint sensors on phone and keysticks] … and you have hardware-based execution environments [in phone chips] where you can execute very secure cryptographic functions.”

“The primary issues raised in the roadmap have all been addressed,” he said.

Michael Garcia, who now heads up NIST’s Trusted Identities Group, initially demurred any comment.

“We are firmly in listening mode right now,” he said when CyberScoop asked about MFA.

Later he added, “It is a completely valid question. Appropriate authentication that is risk based ought to be addressed, no question … In what level of detail you do that, that’s a difficult question. That’s why we had a public comment period, that’s why we’re having a workshop, that’s why we need to hear from the [cybersecurity] community. Because there’s a balance there about how specific and detailed you should get in what is a very high-level strategic type of document.”

-In this Story-

CyberScoop, National Institute of Standards and Technology (NIST), NIST cybersecurity framework