Many private and public sector organizations rightly look to NIST’s Cybersecurity Framework as a how-to guide for building a solid foundation for a cybersecurity strategy. But after a long public consultation and drafting process, one critical piece of any such strategy was missing from the original framework when it was published in February 2014: the use of multi-factor identity authentication.
MFA, also often called two-factor authentication, means using some method beyond a simple username/password combination to prove who you are — another “factor” like a FIDO security keystick or a biometric, such as a fingerprint. Excluding MFA from the framework, according to NIST at the time, was necessary because there weren’t any widely accepted, interoperable standards for ensuring secure identity and because of usability problems with the technologies then available.
NIST has drafted an update of the framework, but even though the section on identity and access management has been expanded and overhauled, there’s still no mention of MFA.
We in the FIDO Alliance — a nonprofit that promotes interoperable standards for strong, cryptographically based identity authentication technologies — welcomed the opportunity to review and comment on the proposed update to the framework. You can view our comments in full here.
In our comments, the FIDO Alliance recommends that NIST clarify the language about identity authentication and explicitly include MFA in the next update to the framework.
We are urging NIST to add a new “Authentication” sub-category to the Framework Core, within the “Identity Management and Access Control” category. The subcategory should include the recommendation that “Authentication of authorized users is protected by multiple factors.”
While there are several positive changes to the way the proposed update treats identity — and the FIDO Alliance strongly supports them — MFA must be explicitly recommended. It’s the only way to ensure government and industry can address the growing risks caused by weak authentication, and it should be part of any update of the framework.
Two things have happened since the framework was first published — one positive and one not-so-positive — that make strong authentication an essential requirement for any framework for improving cybersecurity.
The good news is the challenges associated with implementing strong authentication back in 2014, which led NIST to exclude MFA from the framework, have been addressed by industry through public-private, multi-stakeholder collaboration with NIST and other standards bodies and policy makers worldwide.
The FIDO Alliance has delivered a comprehensive framework of open industry standards for simpler, stronger authentication, fundamentally changing the landscape and closing the gaps originally observed by the framework’s authors. These open industry standards, which have been broadly adopted by trusted brands and technology providers, improve online authentication by leveraging proven public key cryptography for stronger security and privacy preserving on-device user verification for better usability.
The FIDO ecosystem now includes hundreds of millions of FIDO-compliant devices and billions of compliant online accounts worldwide. FIDO is not the only advance in strong authentication since 2014, but it is an important example of how a large-scale, industry-led, multi-stakeholder initiative has responded to market challenges and changed the landscape in a fundamental way that must be recognized when NIST updates the framework.
The bad news is problems caused by single-factor password authentication have only gotten worse — even though industry has made significant progress addressing the need for strong authentication standards that ensure user privacy and enable ease of use. Just last week, Verizon’s Data Breach Investigations Report found that 81 percent of hacking-related breaches last year were attributable to stolen or guessable/crackable passwords — up from 63 percent the year prior.
This has resulted in an emerging consensus among cybersecurity thought leaders that — as former DHS Secretary Michael Chertoff recently put it — “the password is by far the weakest link in cybersecurity today.”
There is no doubt that multi-factor authentication is a critical requirement for improving critical infrastructure cybersecurity, and that NIST should include it as a requirement in its next update to the framework.
Brett McDowell is executive director of the FIDO Alliance.