The tech community needs to understand what NIST is really saying in its historic rewrite of authentication guidance, which evaluates the security of passwords.
By Brett McDowell
We don’t often see passwords making front-page news, but for one week last month, you couldn’t hide from the stories about the National Institute of Standards and Technology (NIST) changing its recommendations on so-called “strong passwords”—recommendations that promise to make password creation easier for everyone. It was a rare move by government that was universally celebrated by our nation’s technorati.
Paul Grassi, the primary author of the new "Digital Identity Guidelines" (SP 800-63-3) got passwords right, but the new password rules are the least significant development in the new guidelines. The technology community needs to understand what NIST is really saying in this historic rewrite of authentication guidance because it tells you everything you need to know about the real future of passwords and one-time passcodes (OTPs), as well as the modern authentication methods you should support going forward.
“Strong Password” Is an Oxymoron
More than 80 percent of all data breaches leverage stolen or weak password credentials. Research also shows that attackers who have previously learned a user’s password may be able to guess the new password fairly easily. So, when should passwords be used?
NIST separates authentication methods into three levels of assurance, which are selected and defined based on the risk of the application. Level 1 is the lowest and should only be selected when the impact of a compromised credential is minimal or has little to no negative impact on a user or organization. Passwords alone are recommended for these Level 1 applications.
However, when is a breach or account takeover ever harmless? Just ask the 143 million consumers dealing with the Equifax breach. That's why, under the new guidance, any application collecting personal information is required to authenticate using more than just a password.
To be clear, for everything we actually want to protect, NIST requires multifactor authentication, aka “strong authentication.” But all strong authentication technologies are not created equal. What fundamentally separates the highest level of assurance from the rest of the pack is a requirement for hardware protection of the credential, as well as mitigations to both common and sophisticated exploits.
SMS OTP Vulnerabilities Exposed
SMS OTPs, the most common form of multifactor authentication offered today, are now a restricted form of authentication in the new guidance. Why? Inherently, SMS OTPs share the same vulnerabilities as passwords.
There are still secrets that need to be shared with a service, and even though they expire, they can be intercepted and reused. What's worse, hackers have been able to call your mobile provider and conduct a SIM hijacking, enabling them to receive all your SMS OTP codes, quickly reset every password and take control of multiple accounts.
Public Key Crypto Gets Stamp of Approval
If we consider NIST’s assurance Level 1 as the methods with a warning label, we should consider NIST’s assurance Level 3 as the methods to embrace and—given today’s threat climate—begin to move to as soon as possible. The authentication methods in the Level 3 category utilize public key cryptography, in which your modern device creates and uses private keys as your new account credentials and tightly binds them to your personal device in the same way most smartphones now store your fingerprint data.
Because this method puts user credentials on the user’s device and only shares cryptographic “proof of possession” with applications running in the cloud, there is no longer a threat of re-used credentials harvested from someone else’s data breach. Plus, there's no risk of phishing since it is technically impossible to share your credentials.
In order to compromise a Level 3 credential, the hacker must physically attack the user’s personal device. These types of attacks are not scalable or profitable for cyber-criminals, so this method rightfully earns NIST’s highest level of assurance.
If you think building support for these higher levels of assurance is expensive, difficult or reserved for enterprise applications, think again. New industry protocols and security requirements that are already defined, implemented and built into smartphones and many other products enable that fingerprint sensor or security key you use to log in to meet the new NIST requirements for the highest level of strong authentication.
NIST’s Digital Identity Guidance is considered the gold standard by governments and enterprises as they develop their identity management strategies—and rightfully so. It’s up to all of us to pay attention to what NIST is really saying in its new guidance and participate in the industry-wide migration away from passwords and OTPs to modern, stronger authentication.
In the end, the best new password guidance coming out of NIST is: Don't use them.
Brett McDowell is executive director of the FIDO Alliance, the world’s largest ecosystem for standards-based, interoperable authentication.
This article was originally published on 10-24-2017