The Fast Identity Online (FIDO) Alliance, which includes hundreds of technology companies, said that NIST’s new “Framework for Improving Critical Infrastructure Cybersecurity” should include multi-factor authentication as a recommended security solution for institutions and companies.
Password reuse is a common problem in the online services world, because it makes it easier to compromise accounts on websites with otherwise strong security. When a user’s password is compromised on one service, attackers can try the password (and username) on other services’ login pages, too.
This problem has two main solutions: a password manager that can create unique passwords for each web service, and multi-factor authentication that uses at least two different factors, such as a regular password and a One Time Password code, to protect accounts.
The FIDO Alliance has been developing standards for biometric authentication for passwordless logins as well as two-factor authentication schemes such as the Universal 2nd Factor standard based on a public-key encryption systems.
The World Wide Web Consortium (W3C) is also working on extending the HTML specification for web authentication using FIDO’s biometric authentication coupled with public-key cryptography. Essentially, this means you would be able to login to a website with your fingerprint, but the server would only see a unique public encryption key.
NIST’s Cybersecurity Framework For Critical Infrastructure
FIDO argued that NIST’s 2017 core framework for improving cybersecurity for critical infrastructure should make it much more clear that multi-factor authentication is needed to protect accounts from hacking.
“We strongly urge NIST to add a new PR.AC Subcategory for Authentication, reading: ‘Authentication of authorized users is protected by multiple factors,” said a FIDO Alliance statement.
The group also said that the new version of the framework is confusing, because the “Notes to Reviewers” section suggests that multi-factor authentication is addressed within the framework, when it isn’t.
FIDO also suggested a few more improvements to the framework that would address other identity-related issues.
The group said that the framework only talks about how identities should be “managed,” when enterprise security requires a more holistic view of the whole lifecycle for identities, including looking at issuance, management, verification, revocation, and audit. What FIDO is trying to say is that proper management of identities is not enough if, for instance, the verification of identities is done poorly.
FIDO argued that, in addition to managing identities, companies also have to control what their users are authorized to access.
Finally, the standards group said that companies and institutions should focus on ensuring that “identities are proofed and bound to credentials, and asserted in interactions where appropriate.”
NIST’s Framework for Improving Critical Infrastructure Cybersecurity is only meant to be a guide to companies and institutions that want to strengthen their security and better protect themselves against hackers. Previous studies have shown that two-factor or multi-factor authentication is one of the best ways to do that, so it would make sense for NIST to recommend multi-factor authentication as one of the main security solutions for companies and institutions that work with critical infrastructure.