FIDO Alliance recommends MFA requirement in NIST guidelines
The FIDO Alliance has made recommendations for a strong authentication requirement in the National Institute of Standards and Technology’s (NIST) draft updates to its Framework for Improving Critical Infrastructure Cybersecurity guidelines.
Initially published in February 2014, the Framework excluded recommendations for multi-factor authentication (MFA) due to authentication-related issues in 2013-2014, NIST said.
These challenges included a lack of standards to promote security and interoperability as well as usability problems with the solutions available.
The FIDO Alliance has reviewed and commented on NIST’s proposed updates (PDF), which it submitted on the FIDO Alliance website.
The Alliance recommends that NIST clarify their language and explicitly require MFA in the next update to the Framework.
In an opinion-editorial article penned by FIDO Alliance executive director Brett McDowell, the Alliance urged NIST to introduce an “authentication” sub-category to the Framework core with the recommendation that “authentication of authorized users is protected by multiple factors.”
McDowell said that it is necessary to address MFA with this language to help government and industry combat increasing risks caused by weak authentication.
He commends the NIST for making many positive identity-centric amendments in the proposed update to the Framework, but emphasizes that the Framework should factor in two essential things that have happened since the Framework was initially published.
The first occurrence is that the industry has addressed previous challenges associated with implementing strong authentication through public-private, multi-stakeholder collaboration with NIST and other standards organizations and policymakers worldwide.
McDowell highlights the FIDO Alliance’s own work in delivering “a comprehensive framework of open industry standards for simpler, stronger authentication, fundamentally changing the landscape and closing the gaps originally observed by the authors of Framework.”
He said these open industry standards “improve online authentication by leveraging proven public key cryptography for stronger security and privacy preserving on-device user verification for better usability.”
McDowell said the standards provide an example of how a large-scale, industry-led, multi-stakeholder initiative has responded to market challenges and changed the landscape in a manner that the NIST must consider in its Framework updates.
The second occurrence is that problems triggered by single-factor password authentication have intensified over the past three years, even though the industry has made considerable progress in addressing the “need for strong authentication standards that ensure user privacy and enable single-gesture usability innovation”.
Based on this, McDowell said that NIST should make multi-factor authentication a requirement in its next update to the Framework.
Earlier this year, the FIDO Alliance released a white paper in support of the U.S. Commission on Enhancing National Cybersecurity’s recommendations for all agencies to use strong authentication across all government systems.