Brett McDowell, executive director, FIDO Alliance
Many private and public sector organizations look to NIST’s Framework for Improving Critical Infrastructure Cybersecurity, first published in February 2014, as a guide to building a solid cybersecurity strategy. But one critical piece of any modern cybersecurity strategy is missing from the original Framework – recommendations for multi-factor authentication (MFA, aka strong authentication). This exclusion, according to NIST, was due to challenges associated with authentication in 2013-2014, including lack of standards to promote security and interoperability and inherent usability challenges with the solutions available.
Fast forward to today, and NIST has put forth draft updates to the Framework. The FIDO Alliance welcomed the opportunity to review and comment on the proposed updates. You can view the full comments we submitted on the FIDO Alliance website.
In its comments, the FIDO Alliance recommends that NIST clarify their language and explicitly require MFA in the next update to the Framework. We are urging NIST to add a new “authentication” sub-category to the Framework core with the recommendation that: “authentication of authorized users is protected by multiple factors.” Explicitly addressing MFA with this language is necessary to help government and industry address growing risks caused by weak authentication, and should be part of any proper update of the Framework.
While there are several positive identity-centric changes in the proposed update to the Framework that the FIDO Alliance strongly supports, MFA must be explicitly recommended. Two things have happened since the Framework was first published – one positive and one not-so-positive – that make strong authentication an essential requirement for any framework for improving cybersecurity today.
First, the good news. The challenges associated with implementing strong authentication back in 2014, which led to excluding MFA in the Framework, have been addressed by industry through public-private, multi-stakeholder collaboration with NIST and other standards bodies and policy makers worldwide. In particular, the FIDO Alliance has delivered a comprehensive framework of open industry standards for simpler, stronger authentication, fundamentally changing the landscape and closing the gaps originally observed by the authors of Framework. These open industry standards, which have been broadly adopted by trusted brands and technology providers, improve online authentication by leveraging proven public key cryptography for stronger security and privacy preserving on-device user verification for better usability.
The FIDO ecosystem now includes hundreds of millions of FIDO-compliant devices and billions of compliant accounts worldwide. That, however, is not the only advancement in strong authentication since 2014, but it is an important example of how a large-scale, industry-led, multi-stakeholder initiative has responded to market challenges and changed the landscape in a fundamental way that must be recognized when NIST updates the Framework.
Now, the bad news. The problems caused by single-factor password authentication have only gotten worse even though the industry has made significant progress addressing the need for strong authentication standards that ensure user privacy and enable single-gesture usability innovation. Just last week, Verizon’s Data Breach Investigations Report that 81 percent of hacking-related breaches last year were attributable to stolen or guessable/crackable passwords — up from 63 percent the year prior. This has resulted in an emerging consensus among cybersecurity thought leaders that “the password is by far the weakest link in cybersecurity today” as noted recently by former DHS Secretary Michael Chertoff.
There is certainly no doubt that multi-factor authentication is a critical requirement for improving critical infrastructure cybersecurity, and that NIST should include it as a requirement in its next update to the Framework.