<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Cybersecurity Framework

Protecting Your Infrastructure With Multi-Factor Authentication

down-arrow

As organizations begin their journey to comply with the NIST Framework, more and more of them are implementing multi-factor authentication (MFA) to protect their digital infrastructure. 

The National Institute for Standards and Technology (NIST) has been drafting new rules regarding protecting the identify of those in organizations that are adopting or have already adopted the NIST Framework. Organizations are moving away from password complexity such as symbols and numbers and opting to NIST's user friendliness with strong encryption standards and multi-factor authentication when involving sensitive information, or CUI (like in DFARS Compliance).

NIST has done a great job of being thorough with its guidelines for digital security - including threat-mitigation strategies, and trusted password regulations. NIST comes at this from the angle that making users' within these organizations lives simpler and more robust in their password security to strengthen password protection overall. NIST guidelines include details on multi-factor identification (MFA), or two-factor authentication (2FA), which is becoming more and more common. The user must demonstrate at least two of "something you know" such as a password, "something you are" such as a fingerprint, "something you have" such as a code sent to your phone via app. 

What's the Deal With SMS 2FA?

Last year, NIST proposed deprecating SMS 2FA because of vulnerabilities as an out-of-band factor in multi-factor authentication environments. “SMS 2FA is widely used for MFA; it has been adopted and is known to users, and any MFA is better than no MFA,” said Paul Grassi, senior standards and technology adviser at NIST. “The term ‘deprecation’ confused people. It wasn’t clear if SMS 2FA was disallowed or remained allowed.” NIST published a proposal, and the telecommunications, financial and security industries provided guidance on how to use SMS successfully, resulting in the four-volume SP 800-63 Digital Identity Guidelines. NIST applied these changes and fell under 'restricted' - that organizations or users would be taking a risk using SMS 2FA.

Federal security researchers implore that even though SMS delivery of one-time passwords is 'restricted' under NIST, that doesn't mean organizations should avoid using 2FA. In fact, there are other approaches, for example push-based OTP (sending a code to a mobile device via app such as Google Authenticator), which is cryptographically signed and not delivered via the SMS channel, avoiding those vulnerabilities. NIST doesn't tell federal agencies which authentication factors to use, but it is understood that agencies will have to choose a MFA method that fits their organization.

“Authentication can use a combination of biometrics, user behavior and cross-referenced user data that is easily available,” Halvorsen, Samsung CIO said. “DOD has CAC, PIN and other multifactor authentication methods. 2FA is not a big deal for some parts of federal networks. They’ve already completed this journey.”

Moving from complex passwords to MFA is highly recommended and will strengthen your organization's cybersecurity posture as you measure yourself against a nationally recognized security framework. CyberSaint includes MFA for our platform and specializes in helping you find the roadmap to a stronger cybersecurity posture, managing that posture from one pane of glass.

Contact us on our homepage or email info@cybersaint.io with any questions or for more information.  

Read the source article here.

You may also like

3 Ways Financial Institutions are ...
on January 14, 2021

Financial services firms have often been at the forefront of security since the inception of the first Chief Information Security Officer in the 1980s. Why? For the same reason ...

3 Steps for Secure Digital ...
on January 12, 2021

It comes as no surprise to readers that the COVID-19 pandemic vastly catalyzed digital business. From the rapid, necessary adoption of remote work to the precipitous rise in ...

Augmenting Legacy GRCs During ...
on January 7, 2021

From Silos to a Category to Modern-Day From the early days of internal audit and external audit, governance, and policy management silos and into the era of enterprise governance, ...

Alison Furneaux
Embrace Cyber Risk Transformation ...
on January 5, 2021

Widespread Digitalization Puts Increasing Demands on Risk and Compliance Programs The scope of risks to be managed is increasing. Especially over the past year amid the COVID-19 ...

Alison Furneaux
Practice vs Process Maturity: ...
on December 18, 2020

Information security maturity has never been more important. In the wake of the COVID-19 pandemic, the catalyzation of digital transformation and the ripple effects on businesses ...

Top 5 Cyber Events 2020
on December 15, 2020

2020 brought a lot of unforeseen circumstances with it. A lot has happened between the rampant risk in cyber attacks across the digital landscape to the COVID-19 pandemic ...