Request Demo

NIST Cybersecurity Framework

Protecting Your Infrastructure With Multi-Factor Authentication

down-arrow

As organizations begin their journey to comply with the NIST Framework, more and more of them are implementing multi-factor authentication (MFA) to protect their digital infrastructure. 

The National Institute for Standards and Technology (NIST) has been drafting new rules regarding protecting the identify of those in organizations that are adopting or have already adopted the NIST Framework. Organizations are moving away from password complexity such as symbols and numbers and opting to NIST's user friendliness with strong encryption standards and multi-factor authentication when involving sensitive information, or CUI (like in DFARS Compliance).

NIST has done a great job of being thorough with its guidelines for digital security - including threat-mitigation strategies, and trusted password regulations. NIST comes at this from the angle that making users' within these organizations lives simpler and more robust in their password security to strengthen password protection overall. NIST guidelines include details on multi-factor identification (MFA), or two-factor authentication (2FA), which is becoming more and more common. The user must demonstrate at least two of "something you know" such as a password, "something you are" such as a fingerprint, "something you have" such as a code sent to your phone via app. 

What's the Deal With SMS 2FA?

Last year, NIST proposed deprecating SMS 2FA because of vulnerabilities as an out-of-band factor in multi-factor authentication environments. “SMS 2FA is widely used for MFA; it has been adopted and is known to users, and any MFA is better than no MFA,” said Paul Grassi, senior standards and technology adviser at NIST. “The term ‘deprecation’ confused people. It wasn’t clear if SMS 2FA was disallowed or remained allowed.” NIST published a proposal, and the telecommunications, financial and security industries provided guidance on how to use SMS successfully, resulting in the four-volume SP 800-63 Digital Identity Guidelines. NIST applied these changes and fell under 'restricted' - that organizations or users would be taking a risk using SMS 2FA.

Federal security researchers implore that even though SMS delivery of one-time passwords is 'restricted' under NIST, that doesn't mean organizations should avoid using 2FA. In fact, there are other approaches, for example push-based OTP (sending a code to a mobile device via app such as Google Authenticator), which is cryptographically signed and not delivered via the SMS channel, avoiding those vulnerabilities. NIST doesn't tell federal agencies which authentication factors to use, but it is understood that agencies will have to choose a MFA method that fits their organization.

“Authentication can use a combination of biometrics, user behavior and cross-referenced user data that is easily available,” Halvorsen, Samsung CIO said. “DOD has CAC, PIN and other multifactor authentication methods. 2FA is not a big deal for some parts of federal networks. They’ve already completed this journey.”

Moving from complex passwords to MFA is highly recommended and will strengthen your organization's cybersecurity posture as you measure yourself against a nationally recognized security framework. CyberSaint includes MFA for our platform and specializes in helping you find the roadmap to a stronger cybersecurity posture, managing that posture from one pane of glass.

Contact us on our homepage or email info@cybersaint.io with any questions or for more information.  

Read the source article here.

You may also like

CyberStrong's Cybersecurity ...
on November 29, 2022

With an increasing interest in cyber as a business function, security teams and non-technical leaders must be informed of the progress of both business and security. This will ...

CyberStrong’s Cybersecurity ...
on November 25, 2022

With an increasing interest in cyber as a business function, it is vital that non-technical leaders are tuned into the cyber posture of their organization. Non-technical ...

CyberStrong's Assessment Dashboard ...
on November 23, 2022

With an increasing interest in cyber as a business function, it is vital that non-technical leaders are tuned into the cyber posture of their organization. Data visualizations ...

CyberStrong’s Cybersecurity ...
on November 21, 2022

CyberStrong dashboards allow security professionals to aggregate and consolidate data into useful, presentable, easy-to-understand images that visualize cybersecurity posture in ...

The End of the Cyber Silo: Why ...
on November 7, 2022

Cybersecurity is an evolving topic of interest. Only a couple of decades back, the title of Chief Information Security Officer (CISO) did not even exist. What cybersecurity was ...

7 Reasons You Need a NIST Incident ...
on November 10, 2022

A well-defined and robust incident response plan can dramatically minimize the damage to a company when disaster strikes. A practical incident response approach helps distribute ...