Request Demo

NIST Cybersecurity Framework

Protecting Your Infrastructure With Multi-Factor Authentication


As organizations begin their journey to comply with the NIST Framework, more and more of them are implementing multi-factor authentication (MFA) to protect their digital infrastructure. 

The National Institute for Standards and Technology (NIST) has been drafting new rules regarding protecting the identify of those in organizations that are adopting or have already adopted the NIST Framework. Organizations are moving away from password complexity such as symbols and numbers and opting to NIST's user friendliness with strong encryption standards and multi-factor authentication when involving sensitive information, or CUI (like in DFARS Compliance).

NIST has done a great job of being thorough with its guidelines for digital security - including threat-mitigation strategies, and trusted password regulations. NIST comes at this from the angle that making users' within these organizations lives simpler and more robust in their password security to strengthen password protection overall. NIST guidelines include details on multi-factor identification (MFA), or two-factor authentication (2FA), which is becoming more and more common. The user must demonstrate at least two of "something you know" such as a password, "something you are" such as a fingerprint, "something you have" such as a code sent to your phone via app. 

What's the Deal With SMS 2FA?

Last year, NIST proposed deprecating SMS 2FA because of vulnerabilities as an out-of-band factor in multi-factor authentication environments. “SMS 2FA is widely used for MFA; it has been adopted and is known to users, and any MFA is better than no MFA,” said Paul Grassi, senior standards and technology adviser at NIST. “The term ‘deprecation’ confused people. It wasn’t clear if SMS 2FA was disallowed or remained allowed.” NIST published a proposal, and the telecommunications, financial and security industries provided guidance on how to use SMS successfully, resulting in the four-volume SP 800-63 Digital Identity Guidelines. NIST applied these changes and fell under 'restricted' - that organizations or users would be taking a risk using SMS 2FA.

Federal security researchers implore that even though SMS delivery of one-time passwords is 'restricted' under NIST, that doesn't mean organizations should avoid using 2FA. In fact, there are other approaches, for example push-based OTP (sending a code to a mobile device via app such as Google Authenticator), which is cryptographically signed and not delivered via the SMS channel, avoiding those vulnerabilities. NIST doesn't tell federal agencies which authentication factors to use, but it is understood that agencies will have to choose a MFA method that fits their organization.

“Authentication can use a combination of biometrics, user behavior and cross-referenced user data that is easily available,” Halvorsen, Samsung CIO said. “DOD has CAC, PIN and other multifactor authentication methods. 2FA is not a big deal for some parts of federal networks. They’ve already completed this journey.”

Moving from complex passwords to MFA is highly recommended and will strengthen your organization's cybersecurity posture as you measure yourself against a nationally recognized security framework. CyberSaint includes MFA for our platform and specializes in helping you find the roadmap to a stronger cybersecurity posture, managing that posture from one pane of glass.

Contact us on our homepage or email with any questions or for more information.  

Read the source article here.

You may also like

Why GRC Needs IRM
on February 15, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
Government Shutdown Cybersecurity ...
on February 12, 2019

In January, CyberSaint CEO George Wrenn penned his thoughts on the impact of the government shutdown. In his post, George foresaw the outcome of the shutdown not being a future ...

The Cybersecurity Skills Gap: The ...
on February 7, 2019

The cybersecurity skills gap is nothing new to the seasoned cyber professional. It has been widely discussed in cyber and information security circles for some time. The main flag ...

George Wrenn
The Post-Digitization CISO
on February 5, 2019

Information leaders in digital businesses, whether focusing on optimization or a full transformation, are inherently altering their position among the executive leadership. As ...

Integrated Risk Management and ...
on January 31, 2019

With technology permeating every aspect of a business, one begins to wonder what technology is reserved for digital risk management rather than the other facets of integrated risk ...

Department of Defense Launches ...
on January 29, 2019

The Defense Federal Acquisition Regulation Supplement (DFARS) mandate, specifically Clause 252.204-7012 requiring all members of the Department of Defense’s supply chain to comply ...