Implementing Digital Authentication Per NIST Guidelines (SP 800-63-3)

In 2016, the National Institute of Standards and Technology (NIST) (run by the US Department of Commerce) announced they were producing a new publication that would overhaul their previous guidance for digital authentication – which was released on August 30th.As there are no formal national standards in the US (aside from government agencies) as there are in the EU, NIST provides best practices and guidance for organizations looking for guardrails and support. This publication supports OMB guidance “E-Authentication Guidance for Federal Agencies” and is the third produced focusing on digital authentication.

The new publication aims to encourage a massive transformation of digital authentication as compared to the previous two publications, SP 800-63-1 and SP-800-63-2 – the last being published about 10 years ago. The new publication covers guidance for remote authentication of users working over open networks. It specifies requirements for identity authentication and authorization, registration, management procedures, authentication protocols, and federation and assertion. Many of the practices incorporated in the new publication were inspired by those produced in the EU (eIDAS) and Canada, which helps create more consistency between the already integrated countries.

Some of the key updates include the following:

1. The new publication offers more stringent guidelines for knowledge-based verification.
   
   Knowledge-based authentication (KBA) is all but out in NIST’s new guidance. Users no longer have to answer questions such as “What was your dream job at the age of 12?” and “What was your grandfather’s second job?” – all silly questions users may or may not know how to answer. While it is not completely removed, it is stressed that KBA is not to be used as an end-all, be-all for a password reset; an individual should prove their identity with more secure methods.
2. Stricter requirements are placed on passwords, encouraging the use of passphrases that are a minimum of 64 characters long.
   
   The minimum requirements for passwords are 8 characters long. However, NIST has started encouraging the use of creative passphrases, allowing passwords to be 64+ characters long instead. For example, the passphrase “Cryptomathic delivers digital authentication and security solutions for e-banking!” would replace your standard 8-12 character passwords that might often leave users vulnerable. Furthermore, there are requirements for hashing, salting, and stretching passwords, which are new ways to hide and protect passwords. A keyed HMAC hash using SHA-1/2/3 is recommended (maybe not SHA-1 anymore), along with salting the passwords, which means creating a randomized data string. In layman’s terms, salting makes a common password (e.g., passwords that use words from the dictionary) uncommon. In the final step, stretching the password can further protect passwords in which the hashes have been stolen from the database. Stretching can strengthen weak keys by feeding original hashes into an algorithm that “stretches” or lengthens the key into an enhanced key. Enhanced keys are longer and can be bulletproof against brute force attacks and other methods hackers may try to use.
3. More focus is placed on “authenticator” rather than “token” as in previous publications.
   
   Many guidelines were published to depreciate the value of a “token” and instead prefer the concept of “authenticators” – a broader, more inclusive term providing better mechanisms for identity authentication. One such recommendation included phasing out SMS due to vulnerabilities discovered that can be exploited by man-in-the-middle attacks, mobile phone portability, and attacks against the mobile phone network. Multi-factor authentication like biometrics and app-based one-time passwords are examples of alternative indicators that NIST has suggested enhancing (OTPs) to increase the level of security.
   
   

What is the takeaway?

NIST’s end goal is simple: Increase security and decrease complexity. We’re on board with that as long as the sweet spot is hit – if the systems are too simple, hackers will surely be in within the hour. But the new recommendations for passwords and the guidelines for multi-factor authentication are huge improvements for an organization and add colorful, user-friendly ways to harden user accounts and user authentication further. Additionally, with the release of eIDAS in the European Union, we believe the updates to NIST will help achieve further alignment between the US, Canada, and EU organizations on the security and e-authentication sides.

 References and Further Reading

• Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
  
• Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
  
• REGULATION (EU) No 910/2014  on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
• Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
• Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
• NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
• Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority

 Image: NIST, courtesy of Mike, Flickr (CC BY 2.0)