In 2016, the National Institute of Standards and Technology (NIST) (run by the US Department of Commerce) announced they were producing a new publication which would overhaul their previous guidance for digital authentication – which was released on August 30th. As there are not formal, national standards in the US (aside from government agencies) as there are in the EU, NIST provides best practices and guidance for organizations looking for guardrails and support. This publication supports OMB guidance “E-Authentication Guidance for Federal Agencies” and is the third produced which focuses on digital authentication.
The new publication aims to encourage a massive transformation of digital authentication as compared to the previous two publications, SP 800-63-1 and SP-800-63-2 – the last being published about 10 years ago. The new publication covers guidance for remote authentication of users who are working over open networks, and specifies requirements for identity authentication and authorization, registration, management procedures, authentication protocols, and federation and assertion. Many of the practices incorporated in the new publication were inspired by those which have been produced both in the EU (eIDAS) and Canada, which helps create more consistency between the already integrated countries.
Some of the key updates include the following:1. The new publication offers more stringent guidance for knowledge-based verification.
Knowledge-based authentication (KBA) is all but out in NIST’s new guidance. No longer does the user have to answer questions such as “What was your dream job at the age of 12?” and “What was your grandfather’s second job?” – all silly questions users may or may not have a clue how to answer. While it is not completely removed, it is stressed that KBA is not to be used as an end-all, be-all for password reset; an individual should prove their identity with more secure methods.
2. Stricter requirements are placed on passwords, encouraging the use of passphrases that are a minimum of 64 characters long.
The minimum requirements for passwords are 8 characters long, however NIST has started encouraging the use of creative passphrases, allowing passwords to be 64+ characters long instead. For example, the passphrase “Cryptomathic delivers digital authentication and security solutions for e-banking!” would replace your standard 8-12 character passwords that often leaves users vulnerable. Furthermore, there are specific requirements for hashing, salting, and stretching passwords, which are new ways to hide and protect passwords in place. A keyed HMAC hash using SHA-1/2/3 is recommended (maybe not SHA-1 anymore), along with salting the passwords, which means to create a randomized string of data. In layman’s terms, salting makes a common password (e.g. passwords that use words from the dictionary), uncommon. In the final step, stretching the password can further protect passwords in which the hashes have been stolen out of the database. Stretching can make weak keys much stronger by feeding original hashes into an algorithm which “stretches” or lengthens the key into what is called an enhanced key. Enhanced keys are longer, and can be bullet proof against brute force attacks and other methods hackers may try to use.
3. There is more focused placed on the term “authenticator”, rather than “token” as was in the previous publications.
Many guidelines were published to depreciate the value of a “token”, and instead put preference on the concept of “authenticators” – a broader, more inclusive term providing better mechanisms for identity authentication. One such recommendation included phasing out SMS due to vulnerabilities discovered that can be exploited by man-in-the-middle attacks, mobile phone portability, and attacks against the mobile phone network. While they are not yet recommended against, NIST did suggest improved methods for alternative indicators – including biometrics and App-based one-time passwords (OTPs).
What is the takeaway?
NIST’s end goal is simple: Increase security, and decrease complexity. We’re on board with that, as long as the sweet spot is hit – if the systems are too simple, hackers will surely be in within the hour. But the new recommendations for passwords, along with the added guidelines for multi-factor authentication are huge improvements for an organization and add in colorful, user-friendly ways to further harden user accounts and user authentication. Additionally, with the release of eIDAS in the European Union, we believe the updates to NIST will help achieve further alignment beween the US, Canada, and EU organizations on the security and e-authentication sides.
References and Further Reading
- Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority