De-NISTifying 800-63B

Working in the field of authentication, I have had to become quite familiar with NIST-800-63. Previously, I was strongly focused on the Authenticator Assurance Levels (AAL). I was able to work with a product that supported over 25 unique authenticators which allowed for organizations to mix and match, or leverage what they thought was the most user-friendly.

NIST recently revised and removed Email OTP and put SMS into a limited scope. These are all great recommendations. Email is easily compromised through widespread phishing at the workplace. For customers, people are vulnerable to credential stuffing attacks due to leaked credentials and high rates of password reuse. SMS was a great step forward to drive users to leverage two-factor authentication, but we found through the years, mobile providers and even the SS7 network itself was compromised. Social engineering techniques mastered against mobile phone providers downgraded SMS as a viable authenticator.

NIST Special Publication 800-63B can be overwhelming.

To adopt and implement a program based on NIST 800-63B you need to become familiar with new acronyms and apply NIST vocabulary. At HYPR, we simplify this by targeting a specific portion of NIST 800-63B, the AAL (Authenticator Assurance Level). While there are other sections around FAL (Federation Assurance Level) and IAL (Identity Assurance Level) HYPR is focused on reducing the burden on the implementation of AAL3. This is defined by NIST as the highest level of assurance. What does this all mean? Well simply put, enterprises who look to follow or align themselves with NIST recommendations can easily place their Authenticators in the highest level of assurance by deploying HYPR. It could be on the desktop or laptop for OS level access assurance or even for consumers who access the organization’s digital properties.

Organizations I have worked with have always liked the idea from a security perspective to say they follow and adhere to NIST. Remember, NIST defines the standards for the US government and how those entities interact with each other and support Government-to-Government, Government-to-Business, and Government-to-Citizen transactions.

What excites me about this is not only are we able to help organizations reach and align with NIST recommendations, we also get to remove passwords and shared secrets from environments.  We also must remember that FIDO is geared towards improving the user experience. Better user experience comes with a greater level of security. No longer is it a balancing act of security and user experience. They are now equals. You can even conclude that user experience drives better security.

Better user experience comes with a greater level of security.

Buzzword bingo time — Digital Transformation. This is a top priority for many organizations as they look to digitalize assets or communications between customers and themselves or just a modernization effort internally. The driving force is gaining the ability to increase business and operations efficiency with modern technology. Imagine being able to offer your workforce the ability to use passwordless login to access their workstation, or giving your customers a seamless flow of account enrollment and access to digital properties. With HYPR, organizations can bridge business and security initiatives. Multiple lines of business can enjoy the benefits of a newly, highly adopted user experience. Security teams minimize their attack vectors. It’s a win-win for the entire organization.

The reduction in the threat landscape creates room for other benefits to arise. For example, organizations may achieve reduction in Cyber Liability Insurance, not to mention the cost savings of password resets. The movement to rid the industry of passwords and shared secrets has already begun. To see for yourself why our industry evolution is rapidly moving, give our free 30-day trial a run.

Share This Post
Sign Up for our Newsletter