NIST launches alternative digital identity guidelines, RSA and Trusona expand passwordless solutions
Passwords continue to be a massive headache for businesses and their IT departments, a new survey shows, but both NIST and identity and access management (IAM) technology providers like RSA and Trusona are working on alternatives.
Because approximately one in five employees do not consistently follow company security policies, identity and access management tasks take up a full month out of each year for IT personnel, according to survey results announced by 1Password.
According to the survey, 57 percent of IT workers reset up to five employee passwords per week, but 15 percent reset employee passwords 21 times or more per week.
“The Shadow IT picture is more complicated than many think,” says Jeff Shiner, chief executive officer, 1Password. “Most of us follow the rules, but a small group of employees trying to get more done circumvent policies and create openings for credential attacks. They’re sometimes enabled by IT workers who empathize with their pursuit of productivity. 1Password designed our enterprise password manager to reduce the risk of Shadow IT by helping everyone at work be good by being lazy.”
With this kind of problem in mind, the National Institute of Standards and Technology has published guidelines for alternative methods of secure ID verification.
NIST SP 800-63B Digital Identity Guidelines discusses a number of alternative authentication methods, including biometrics for Authentication Assurance Levels 2 and 3. In the latter case the verifier takes on responsibilities to ensure that the biometric sensor and processing meet requirements set out in the Guidelines’ Section 5.2.3, which focuses on the use of biometrics.
The document only supports limited use of biometrics for authentication, however. This is because, NIST says, false match rate alone does not provide confidence in the authentication, the technology is probabilistic, the availability of revocable biometric credentials is limited and standards are just in development, and biometric characteristics are not secret. Therefore, biometrics are only recommended as part of a multi-factor authentication process in combination with a physical authenticator.
Other guidelines include cover the reliability of the channel between the sensor and verifier, the need for an FMR of 1 in 1,000 or better, and the use of presentation attack detection (PAD) technology.
“The challenge across the federal government in onboarding personnel under the FIPS 201 verification or PIV PROGRAM is that they require in-person identity proofing processes. And clearly this is precluded amidst the pandemic,” NIST Senior Advisor David Temosh told an audience during the Navigating the NIST SP 800-63B Digital Identity Guidelines forum last week, GovernmentCIO reports.
“We’ve needed to move toward credentialing and onboarding personnel using remote processes, but allowing for alternative credentials to the PIV card,” Temosh added. “We don’t want to lower security on the PIV card or reduce any of the binding processes to those cards, but some identity verification cards use biometrics — which means we need to perform in-person biometric collection. Which right now we have to put on hold.”
The guidelines also include sections on authenticator lifecycle management, session management, and considerations related to threats and security, privacy and usability, including specifically for biometrics in the latter case.
RSA adds passwordless access capabilities for hybrid IT environment
RSA has added a set of new capabilities to its SecurID Access software to help organizations protect their networks amid increased remote working practices by accelerating cloud adoption, multi-factor authentication with biometrics and other factors for increased device protection, and reducing friction for both administrators and users.
Users can leverage a range of authentication methods including facial recognition on Android devices, fingerprint biometrics for legacy apps, and FIDO2 for passwordless authentication to hardware, software, and embedded solutions. RSA SecurID Access automatically detects the authentication device or method.
The company says RSA SecurID Access minimizes identity risk by integrating on-premise and cloud components into a unified solution, protecting applications across network environments and providing a consistent user experience.
AuthenTrend joined RSA’s Ready Technology Partner Program to offer FIDO2 biometric authentication for SecurID Access earlier this year.
Trusona launches Windows 10 support
Trusona has announced that its passwordless authentication technology now supports Windows 10 to allow authentication with biometrics and other technologies.
The solution works with the enterprise’s existing infrastructure, and does not require hardware or software upgrades. Authentication to Active Directory can be performed through any standard Windows 10 desktop, laptop, or tablet. It also incudes Trusona’s patented anti-replay technology to stop spoof attacks.
The technology removes static credentials from the sign-in process, and works with or without connectivity through a smartphone or PC. Employees can also self-enroll in minutes with no additional IT provisioning, according to the announcement. The Windows 10 solution can also be used to cascade trusted credentials from Active Directory to downstream enterprise applications, like an SSO tool.