Why The New NIST Guidelines Are Not Enough

Written by

The US National Institute of Standards and Technology (NIST) is currently working on an update to its Digital Identity Guidelines. I feel for them, as this is a guideline that is in constant need to adapt to the ever-changing threats of cybercrime. 

How we address online authentication today, and for the past 60 years, needs to change. We see news on an alarmingly regular basis of power plants, water systems, and other critical infrastructure being breached. The stakes have never been higher. For businesses across every industry to continue to run successfully, we need to prove identity online and currently, the most popular way to do that is through static usernames and passwords. 

The available draft of the new guidelines relaxes the current password rules, acknowledging that users actually create less unique passwords for each service if there are complex password requirements. While a step in the right direction, discounting the fact that static passwords are a weak link in the cybersecurity chain, the heart of the matter remains unchanged. Instead of bending guidelines to succumb to user behavior, the industry should be working to create better and more secure technology that is also easier for consumers to use.

We need to face the fact that passwords are broken technology, as there is no such thing as a fully secure password no matter how long or complex. In order to truly secure online authentication, NIST should focus on ending the widespread use of static passwords and they should be encouraging organizations to start implementing stronger technology that is not open to session replay attacks and actually proves online identity, something today’s usernames and passwords have never and will never do. 

Security, like most other traditional infrastructure systems, is fast becoming outdated as computing becomes decentralized extending to remote and mobile users across the globe. Traditional defenses no longer work as hackers quickly outsmart them, creating a constant cat and mouse chase for the industry to catch up with the criminals. Human behavior, especially impactful in the workplace, is immersed in technology, leaving CISOs to scramble to address existing problems as well as the new risks introduced daily. 

At the same time, we know that users want their online experience to be easy and convenient. Security and convenience are often at odds. We need solutions that can blend convenience and security to increase public adoption while also keeping organizations protected – and stronger passwords is just not the answer. 

First, we need to move away from static technologies that only provide an appearance of security – such as passwords, SMS and Biometrics. That’s the only way we can keep businesses and consumers safe in today’s security environment.

NIST has alluded in recent documents that SMS should no longer be relied upon for fraud prevention and authentication measures. Fraudsters can reroute SMS in less than 60-seconds with nothing more than a person’s telephone number and a simple KBA like mother’s maiden name.

Likewise, biometrics are futile. A fingerprint can be copied with a gummy bear, facial recognition with a cutout photo of the person’s face and iris recognition fails if the person is wearing contact lenses or the light is too dim. 

While they give the appearance of security, all biometrics are just converted to 1s and 0s which is still a static credential. Fraudsters steal any static credential, replay the session data and businesses have zero way to know the difference between the criminal and their legitimate customer. What’s worse, organizations have a false sense of security because biometrics are touted as increased security over standard username and password.

We need to stop the madness and move away from all static credentials. NIST should encourage organizations to discontinue their use of passwords and embrace new technology that will actually keep their business and their users safe. 

What’s hot on Infosecurity Magazine?