On Labor Day, September 5th 2016, NIST published their Digital Authentication Guideline: Public Preview. The document, SP 800-63-3, is a complete overhaul of our beloved eAuthentication documents SP-800-63 and OMB M-04-04.
NIST is changing things up. Rather than holding the traditional comment period, they are calling this a “Public Preview.” It is available on GitHub to gain public input. There will be successive open comment periods. Multiple iterations lasting approximately two weeks, will be followed by time to incorporate changes into the document. The process is similar to sprints in Agile.
Highlights of the document
The document is broken into four parts. The base document SP 800-63-3 is the third iteration of this special publication, and has been renamed to: Digital Authentication Guideline. The base document is followed by three separate documents.
- SP 800-63A – Enrollment and Identity Proofing
- SP 800-63B – Authentication & Lifecycle Management
- SP 800-63C – Federation and Assertions
This new structure is important because it decouples identity proofing from authentication and authorization, and addresses the neglected importance of ID proofing in cybersecurity.
OMB Levels of Assurance – LOA
eGovernment legislation was passed in 2002 and was quickly followed by OMB M-04-04 in 2003. For over a decade we have used LOA 1, LOA 2, LOA 3 and LOA 4, to classify and refer to the type of authentication we used. Now with this document, LOA is dead. The functions of LOA have been decoupled into two parts: Identity Proofing and Authentication. Identity Assurance Level (IAL) refers now to the strength of ID proofing and the confidence level associated with those processes.
IAL 1 – An applicant can self-assert their identity, meaning there is NO requirement for ID Proofing.
IAL 2 – An applicant’s identity must be proven with real world attributes. This can be with KBA (Knowledge Based Authentication, so, something someone should know), or can be asserted by a third party. At this level, in-person proofing is allowed but NOT required.
IAL 3 – An applicant’s identity MUST be proved in person. They must be verified by an authorized and trained professional representative of the Credential Service Provider (CSP).
On the Authentication side of the house, digital authentication refers to an Authenticator Assurance Level (AAL)
AAL 1 – only requires single factor authentication.
AAL 2 – requires two different authentication factors
AAL 3 – requires proof of possession of cryptographic key used together with multi-factor authentication.
By decoupling ID proofing from authentication, it is easier to see the true strength or level of assurance. For example, if your authentication process was at AAL 2 but you let you applicants self-assert their identity (which is the case on most web sites), your assurance level wouldn’t really only be 1. This is one of the gravest dangers of adding two-factor authentication to web apps. The authentication is strong, but the ID proofing is weak or non-existent.
The traditional USERNAME + PASSWORD system was designed half a century ago, when users on a trusted network had to be given access to different parts of the system. Once the system recognized your username, it would give you the proper entitlements. One person got access to accounts payable, while someone else got access to inventory. The CPA got access to the whole accounting system. But in today’s online world, user and name and passwords simply don’t work to maintain security online.
Users have been complaining about passwords for decades. In a bold move, NIST has made recommendations to address these complaints. First, they suggest agencies do away with periodic and arbitrary password changes. Everybody knows that when you force people to change their passwords every 30 days, people just write them down.
Another surprise is the recommendation to do away with mandatory special characters. NIST is not suggesting that we make passwords weaker. In fact, until we can do away with passwords completely, they are suggesting making them stronger, by using passphrases. What they are trying to do is get us to stop employing practices that don’t work.
Two factor authentication is the darling of the IT industry right now. At last count, there were over 30 2FA vendors with enterprise solutions. We all know that username + password, or one factor authentication simply isn’t secure. So there has been a mad rush to install two factor authentication for everything. But in that mad rush, we neglected to check and see if 2FA was any safer.
In this document NIST has formalized what many of us has feared for years, that 2FA is full of vulnerabilities and many forms just aren’t safe. NIST has officially deprecated the use of “OTP of over SMS.”
Why would NIST do this?
Aren’t time-limited one-time-passwords over an out-of-band communication stream a good idea? As it turns out, no. Originally, SMS was out-of-band communication, over the SS7 telecom protocol. But now SMS is transported over GSM.
It is a layer 7 application over TCP/IP. SMS rides over SS& only in the core of the PSTN. To make matters worse, SMS is plaintext, making it easy for an eavesdropper to get your OTP, username and password. NIST goes into more depth about why they feel so strongly about “OTP over SMS”, but suffice it to say, they put the nail in the coffin of one time passwords over SMS and are lowering it into the grave.
Biometrics don’t constitute a secret. NIST isn’t against the use of biometrics, but they want to make it clear that there are still problems to overcome and that there are parameters for their use.
The use of biometrics in cybersecurity is a tricky subject. In crimes of physical theft or murder, fingerprints provide excellent forensic evidence. No two fingerprints have even been found to be the same. That’s why law enforcement has been using them since 1901. When you touch anything, you leave behind an oily residue with a unique signature, so if your finger prints are found at a crime scene you’re likely looking at guilty verdict in a court of law.
But in IT, where everything is electronic, things are different. We installed our first fingerprint scanners in our datacenters in the 1980s, but they were a total failure. I have been using my fingerprint to log onto my Lenovo for over 10 years. It’s fast, convenient and it works. But is it safe?
NIST discusses biometrics in depth. First they want you to know, that while they are getting much better, they are still only one factor and must be used with another factor. SPP 800-63 details NIST’s concerns and gives guidance on when and how to use them if you must.
The Future of Digital Authentication in the Cyber World
SP 800-63-3 is a radical departure for NIST for several reasons.
- Instead of following their traditional comment period, they have posted the document to GitHub and are following an open source model that is iterative and agile.
- They have abandoned the term eAuthentication from 2002 in favor of the term Digital Authentication.
- A new standard of assurance is being proposed, while the decades-old OMB standard is being abolished.
- While NIST is our national standards body, SP 800-63 has always applied to federal executive agencies as defined in Title 39 U.S.C. 201. This document is meant to reach a new audience, the entire United States—the population NIST serves.
Special Publication 800-63-3 is an outstanding piece of work. Paul Grassi and the entire team at NST deserve tremendous credit. The team is the first to admit the document is not perfect, which is why they are asking for our help and our comments. If you wish to view the documents, you can find them on NIST’s site. If you wish to comment, you will need to create a GitHub account. If you want step by step instructions, you can find them here. I urge everyone to participate. It’s our digital future.
I will be submitting comments to the document on GitHub, and invite readers to share their comments via this blog forum.