Understanding NIST-800-63: What is it? What to know.
Ryan Rowcliffe, Field CTO, HYPR
4 Min. Read | February 11, 2020
Working in the field of authentication, I have had to become quite familiar with NIST-800-63. Previously, I was strongly focused on the Authenticator Assurance Levels (AAL). I was able to work with a product that supported over 25 unique authenticators which allowed for organizations to mix and match, or leverage what they thought was the most user-friendly.
Recently the National Institute of Standards and Technology (NIST) updated NIST 800-63B, removing email OTP and putting SMS into a limited scope. These are all important recommendations. Email is easily compromised through widespread phishing at the workplace. For customers, people are vulnerable to credential stuffing attacks due to leaked credentials and high rates of password reuse. SMS was a great step forward to drive users to leverage two-factor authentication, but we found through the years, mobile providers and even the SS7 network itself was compromised. Social engineering techniques mastered against mobile phone providers downgraded SMS as a viable authenticator.
NIST 800-63B Doesn't Have to Be Overwhelming
To adopt and implement a program based on NIST 800-63B you need to become familiar with new acronyms and apply NIST vocabulary. At HYPR, we simplify this by targeting a specific portion of NIST 800-63B, the AAL (Authenticator Assurance Level). While there are other sections around FAL (Federation Assurance Level) and IAL (Identity Assurance Level) HYPR is focused on reducing the burden on the implementation of AAL3. This is defined by NIST 800-63B as the highest level of assurance. What does this all mean? Well simply put, enterprises who look to follow or align themselves with NIST recommendations can easily place their Authenticators in the highest level of assurance by deploying HYPR. It could be on the desktop or laptop for OS level access assurance or even for consumers who access the organization’s digital properties.
Organizations I have worked with have always liked the idea from a security perspective to say they follow and adhere to NIST. Remember, NIST defines the standards for the US government and how those entities interact with each other and support Government-to-Government, Government-to-Business, and Government-to-Citizen transactions.
This has been made clear through the Federal Zero Trust Strategy which identifies authentication protocols, such as NIST 800-63B, that federal agencies and contractors should deploy to ensure the highest level of security. Likewise, the the Federal Financial Institutions Examination Council (FFIEC) has updated its authentication advice to its members to reference NIST 800-63B as authentication best practice for risk management. Special attention is paid in the updated NIST 800-63B to ‘verifier impersonation resistance’ which acknowledges the threat phishing poses to national and enterprise-level cybersecurity.
Aligning With NIST-800-63B
What excites me about this is not only are we able to help organizations reach and align with NIST 800-63B recommendations, we also fully remove passwords and shared secrets from environments. We also must remember that FIDO standards are geared towards improving the user experience. Better user experience comes with a greater level of security. No longer is it a balancing act of security and user experience. They are now equals. You can even conclude that user experience drives better security.
Better user experience ⇒ a greater level of security.
Buzzword bingo time — Digital Transformation. This is a top priority for many organizations as they look to digitalize assets or communications between customers and themselves or just a modernization effort internally. The driving force is gaining the ability to increase business and operations efficiency with modern technology. Imagine being able to offer your workforce the ability to use passwordless authentication to access their workstation, or giving your customers a seamless flow of account enrollment and access to digital properties. With HYPR, organizations can bridge business and security initiatives such as integrating NIST 800-63B into their authentication. Multiple lines of business can enjoy the benefits of a newly, highly adopted user experience. Security teams minimize their attack vectors. It’s a win-win for the entire organization.
The reduction in the threat landscape creates room for other benefits to arise. For example, organizations may achieve reduction in cyber liability insurance, not to mention the cost savings of password resets. The movement to rid the industry of passwords and shared secrets has already begun. To see for yourself why our industry evolution is rapidly moving, get a personal demo.
Field CTO, HYPR
Ryan Rowcliffe is a technologist with over 20 years in the information technology industry. He has spent the last 7 focused on Identity Access Management, Multi-Factor Authentication and Passwordless MFA solutions. Ryan loves solving business problems with modern innovation mixed with known solutions.