<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

As organizations begin their journey to comply with the NIST Framework, more and more of them are implementing multi-factor authentication (MFA) to protect their digital infrastructure. 

The National Institute for Standards and Technology (NIST) has been drafting new rules regarding protecting the identify of those in organizations that are adopting or have already adopted the NIST Framework. Organizations are moving away from password complexity such as symbols and numbers and opting to NIST's user friendliness with strong encryption standards and multi-factor authentication when involving sensitive information, or CUI (like in DFARS Compliance).

NIST has done a great job of being thorough with its guidelines for digital security - including threat-mitigation strategies, and trusted password regulations. NIST comes at this from the angle that making users' within these organizations lives simpler and more robust in their password security to strengthen password protection overall. NIST guidelines include details on multi-factor identification (MFA), or two-factor authentication (2FA), which is becoming more and more common. The user must demonstrate at least two of "something you know" such as a password, "something you are" such as a fingerprint, "something you have" such as a code sent to your phone via app. 

What's the Deal With SMS 2FA?

Last year, NIST proposed deprecating SMS 2FA because of vulnerabilities as an out-of-band factor in multi-factor authentication environments. “SMS 2FA is widely used for MFA; it has been adopted and is known to users, and any MFA is better than no MFA,” said Paul Grassi, senior standards and technology adviser at NIST. “The term ‘deprecation’ confused people. It wasn’t clear if SMS 2FA was disallowed or remained allowed.” NIST published a proposal, and the telecommunications, financial and security industries provided guidance on how to use SMS successfully, resulting in the four-volume SP 800-63 Digital Identity Guidelines. NIST applied these changes and fell under 'restricted' - that organizations or users would be taking a risk using SMS 2FA.

Federal security researchers implore that even though SMS delivery of one-time passwords is 'restricted' under NIST, that doesn't mean organizations should avoid using 2FA. In fact, there are other approaches, for example push-based OTP (sending a code to a mobile device via app such as Google Authenticator), which is cryptographically signed and not delivered via the SMS channel, avoiding those vulnerabilities. NIST doesn't tell federal agencies which authentication factors to use, but it is understood that agencies will have to choose a MFA method that fits their organization.

“Authentication can use a combination of biometrics, user behavior and cross-referenced user data that is easily available,” Halvorsen, Samsung CIO said. “DOD has CAC, PIN and other multifactor authentication methods. 2FA is not a big deal for some parts of federal networks. They’ve already completed this journey.”

Moving from complex passwords to MFA is highly recommended and will strengthen your organization's cybersecurity posture as you measure yourself against a nationally recognized security framework. CyberSaint includes MFA for our platform and specializes in helping you find the roadmap to a stronger cybersecurity posture, managing that posture from one pane of glass.

Contact us on our homepage or email info@cybersaint.io with any questions or for more information.  

Read the source article here.

You may also like

Conducting Your First Risk ...
on January 30, 2023

As digital adoption across industries increases, companies are facing increasing cybersecurity risks. Regardless of their size, cyber-attacks are a persistent threat that must be ...

Your Guide to Cloud Security ...
on January 26, 2023

Cloud computing refers to the delivery of multiple services via the internet (also known as the “cloud”), including software, databases, servers, storage, intelligence, and ...

Compliance and Regulations for ...
on January 9, 2023

Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. Since the rise of the information technology ...

Cyber Risk Quantification: Metrics ...
on January 6, 2023

Risk management is the new foundation for an information security program. Risk management, coupled with necessary compliance activities to support ongoing business operations, ...

Padraic O'Reilly
Cybersecurity Maturity Models You ...
on January 27, 2023

Cybercrime has forced businesses worldwide into paying billions of dollars yearly. As more of the population becomes dependent on technology, the fear of cyber attacks continues ...

Top 10 Risks in Cyber Security
on December 23, 2022

Increasing cyber security threats continue creating problems for companies and organizations, obliging them to defend their systems against cyber threats. According to research ...