Skip navigation

NIST Updates to Identity Management: Evolved MFA for the Masses

Recently, NIST published their second draft of the proposed update to the Framework for Improving Critical Infrastructure Cybersecurity, version 1.1. NIST also published a draft version 1.1 of their Roadmap for Improving Critical Infrastructure Cybersecurity, which includes updates on the following new topics:

  • Cyber-Attack Lifecycle;
  • Measuring Cybersecurity;
  • Referencing Techniques;
  • Small Business Awareness and Resources; and
  • Governance and Enterprise Risk Management.

One key part of the changes made in the Roadmap document is the renaming of the topic Authentication to Identity Management “to account for a broader range of important technical topics including authorization and identity proofing.”

Since the first release of the Framework, there have been advancements in Identity Management solutions, as outlined in section 4.7 of the Roadmap. NIST points to new multi-factor authentication (MFA) solutions and authentication protocols as examples of industry maturation, such as those established by Fast IDentity Online (FIDO) and the World Wide Consortium (W3C).

FIDO’s open authentication standard, Universal 2nd Factor (U2F) uses public key cryptography to securely authenticate a user to a web service, protecting against phishing and providing strong user-centric privacy, as a U2F device is not bound to a user’s real identity - read more about it in Bringing U2F to the Masses.

This second factor comes in the form of a U2F-compliant security key (like Yubikey Neo), a small USB device plugged into your laptop that you tap to complete two-factor authentication. See how it works below:

 

Specifically, NIST emphasizes how these protocols and solutions “will bring easy-to-use and cost-effective MFA solutions to the consumer masses, with support by nearly every major browser and mobile manufacturer.”

While use and adoption is advancing in the right direction, it’s still not enough to protect against cybersecurity threats - NIST cited the 2017 Verizon Data Breach Report’s statistic of 81 percent of hacking-related breaches that leveraged either stolen and/or weak passwords as an example of this.

To help better align technology and risk management processes, and provide guidance on digital identity guidelines, NIST has updated its Special Publication 800-63 suite of documents this past July. Get an overview of those substantial updates in Key Updates to NIST’s Digital Identity Guidelines: SP 800-63-3.

As threats and risks continue to evolve, a static approach to identity no longer suffices. Identity management needs to become more risk-aligned, adaptive, and contextual with guidance capable of supporting flexibility, modularity, and agility – while never sacrificing personal privacy to achieve better outcomes. - NIST

More contextual and adaptive identity management means more than just MFA alone - a more holistic enterprise security solution was developed by Google to ensure zero trust within their internal networks, and to address threats that exist beyond traditional perimeter protections.

That model is known as BeyondCorp, and is based on verifying the trust of both users and devices before granting access to enterprise applications and data.

While it does take a lot of effort to establish a new security framework, Duo Beyond has packaged the main components of BeyondCorp and made it easy for organizations to adopt:

  • Enroll your users and endpoints (devices like laptops, smartphones, PCs, etc.) into inventories
  • Identify endpoints as trusted using digital certificates
  • Create access policies based on the authenticated combination of user and endpoint

Duo Beyond/BeyondCorp Steps

And more - learn about how to implement BeyondCorp principles in your organization by reading the white paper, Moving Beyond the Perimeter: Part 2.

Thu Pham

Information Security Journalist

@Thu_Duo

Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo, Thu covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.