Got trust? Seeking public comment on new NIST publication for developing trust frameworks to support identity federation

Some communities and organizations that share common user bases and transaction types are addressing challenges to users’ privacy and security by allowing users to access multiple services through common login processes. This approach – known as federated identity management – enables users to access multiple online organizations and services through shared authentication processes, instead of authenticating separately with each service provider.

Federated identity management is based on trust, especially between the organizations and service providers that use it. The “rules” for federated identity management are known as “trust frameworks” and the organizations that agree to follow such rules and participate are known as “identity federations.”

 Want to know more about trust frameworks?

Check out today’s release of draft NIST Internal Report (NISTIR) 8149: Developing Trust Frameworks to Support Identity Federation. This document provides an informational look at trust frameworks and explains what they are, what their components are, and how they relate to the concept of identity federation. We’re seeking feedback from the stakeholder community on this draft as well and would love to get your feedback—see below for details.

Why now?

The major end goal is simple: to facilitate the widespread adoption of trust frameworks for organizations and the communities that benefit from them. Trust frameworks aren’t new, so this document doesn’t intend to introduce them to the public. Rather, the draft NISTIR aims to educate communities interested in pursuing federated identity management as they try to establish the agreements that will make up the framework. It includes guidance on determining roles in an identity federation, what to consider from a legal standpoint, and understanding the issues of establishing and recognizing conformance.

Additionally, we hope we can help standardize the language around identity federation and trust frameworks in the future to contribute to a common understanding of the concepts.

What’s the central issue?

Online service providers are struggling more and more to find ways that are secure and protect user privacy to verify that their consumers are who they say they are. The default solution up until now has been to require consumers to register and create an account each time they access a new service, but this requires additional effort from service providers and puts the burden on consumers to keep track of many different accounts and login details. Remembering passwords for every single account is not practical and many consumers are ignoring well-known security best practices that recommend not reusing usernames and passwords between sites. Additionally, convincing users to adopt multi-factor authentication is that much harder when we must ask them to do so across dozens of sites.

Draft NISTIR 8149 covers all the critical topics of trust frameworks, including roles and responsibilities, framework components and rules, legal structures (including risk and liability), and establishing and recognizing conformance. We won’t go into the details here, so please take a look at the draft.

How to comment

 Like so many of our documents, it won’t be complete without feedback from our stakeholders; we rely on you telling us what we got wrong and what we outright missed.

Because of the positive feedback we continue to receive on our other documents hosted on GitHub, we’re doing so again via our NISTIR 8149 GitHub page. You can conveniently access the repository’s ‘Issues’ tab, where you can contribute comments via a form. Using that tab, you can summarize your suggested changes and submit them for further discussion in a forum-style format. More instructions on this are available online.

Also, given that this is a more narrative style document, we understand that it might be easier for some to submit comments through a good old fashioned comment matrix. If so, please use this matrix and send it to These comments will likely get added by us to GitHub for maximum transparency and collaboration—so please anticipate that any feedback emailed to us will be made public.

The 30-day open comment period is from October 3rd – November 1st, 2016.

While NIST is better known for its focus on developing standards and technology, we never lose sight of the many enablers of technology that can make or break a market. A sustainable marketplace requires active work to establish the organizational structures and agreements that make room for great technologies; whether a technologist or attorney, policymaker or executive, establishing trust in digital identities isn’t a spectator sport.

Twitter: @NSTICNPO

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , | Leave a comment

Many thanks for a successful 800-63-3 public preview!

A look back on the SP 800-63-3 public preview

As summer has flown by, you have kept us very busy reviewing your comments on GitHub to Special Publication (SP) 800-63-3 and engaged in a dialog about how this material can be enhanced to better support the public and private sectors. The response we’ve received to SP 800-63-3 – and this new approach – has been phenomenal and inspiring. And now, we’re excited to transition from the public preview period for draft NIST SP 800-63-3: Digital Authentication Guideline to the next critical phase – the 60-day public comment period. But before we do that, I’d like to explain what we learned this summer and where we are headed next…

Between May 8 and September 17, 2016 – our first foray into using GitHub to solicit and manage comments for a major document– there were at least 3,757 unique visitors to our GitHub repository, with contributors submitting 258 ‘issues’ (i.e. items for our review). The open-source nature of this approach allowed us to communicate directly with commenters, giving us a much better way of knowing whether we heard you. It also gave commenters the opportunity to review updates and tell us if we got it right. Our goal was to create a community-driven document, and we hope you agree that your thoughtful feedback substantially improved the document from its initial draft.

As of yesterday, we have temporarily stopped responding to issues posted on GitHub to prepare for the upcoming formal public comment phase. Anyone can view the document as it was yesterday. You can still open an issue—but please know that we will automatically close those issues and ask that you check the updated document when it is posted at the start of the public comment period. If you still see the issue, we ask you to please open it then.

What is coming next?

We’re aiming to release a new draft for public comment in mid-fall.

We’ll have full details upon release of the draft—and GitHub will remain the tool of choice during the public comment period—but we will also include a PDF version of the draft. In addition to submitting comments via GitHub, you will also have the option to submit comments to us via email. We always make comments publicly available, so our team will convert any comments that reach us via email to open GitHub ‘issues’ that everyone can see. This allows us to continue to be transparent about the issues that influence any changes we will ultimately make after the public comment period ends. It also encourages rich, ongoing dialogue—as anyone can discuss an open issue to help find the best possible resolution.

Thank you again for your contributions, support in this new approach, and willingness to be a part of this document’s evolution. We’re looking forward to keeping the discussion lively and impactful during the upcoming official public comment period this fall.

For those who want a deep dive into the latest draft, we’re planning a webinar at the beginning of the public comment period to answer any outstanding questions, and to give everyone an idea of what’s ahead for SP 800-63-3. Be sure to follow us on Twitter for future updates about the webinar including the date, registration details, and agenda.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , | 2 Comments

Citius, Altius, Fortius: Announcing 6 new pilot projects across 10 states (and D.C.!)

As the sun was setting on the thirtieth modern Olympiad in London, NIST was preparing to announce our very first set of NSTIC pilot projects. As the flame goes out in Rio, we’re setting new records. In our largest pilot announcement to date, today NIST is proud to add six new projects to our ranks and bring the total number of projects to 24.

It’s a tricky needle to thread for government to successfully catalyze a marketplace of solutions without government creating the solutions itself. At NIST, we try to keep the model simple. We believe the government’s role in seeding this market is to help overcome the initial barriers to a successful market and, as the landscape evolves, break through barriers that hold specific parts of the market back.

In 2012, adoption of trusted identities that aligned with the NSTIC vision weren’t even a blip on the familiar ‘s-shaped’ technology adoption curve. We truly took an ecosystem approach: it’s not about a single killer app or any given shiny solution, it’s about creating the network effects by which all natural ecosystems support each other and by which we believe we can change the race-to-the-bottom history of identity, authentication, and the protection of personal information that, despite tremendous efforts by many, was all too common pre-NSTIC.

Today, that ecosystem is alive, well, and rapidly expanding. Our pilots family includes 24 projects and more than 150 total partners across 26 states and D.C. These projects have impacted more than 5.9 million individuals, and that impact is growing faster than ever before—a critical indication that the market is making a critical climb up that s-shaped curve. But the numbers run deeper than that. These solutions have impacted a dozen sectors, creating technology, business, and policy linkages that are mutually supportive and global in nature. It’s not just about the number of nodes but the strength of their bonds.

Pilots Graphic 8_25_2016








And, like any healthy ecosystem, it’s growing on its own. The variety of initiatives and solutions filling the marketplace outside the NSTIC program demonstrates just as strongly that the economic model is catching on.

As the fundamental economic proposition has changed, so too has the narrative. As just one example, adoption of multi-factor solutions is well out of the innovators and early adopters—and by some measures quite a way through the early majority as well. In 2015, 39% of consumers used two-factor authentication. Most individuals know that digital identity matters, even if fewer yet understand what to do about it. We know that 54% of consumers were not confident that the security of their personal data was protected on the internet in 2015, and 77% would be interested in an alternative to usernames and passwords to protect their security.

The success of a fundamental shift in the availability of multi-factor solutions in the marketplace has allowed us to turn to investing in solutions for other specific challenges in targeted areas where we believe (1) we can get the best marginal benefit for each taxpayer dollar and (2) we believe the model of these projects can serve as a positive feedback loop to advance two critical sectors that individuals rely on daily.

In this year’s targeted approach to driving innovation in digital identity, we’re pleased to announce six new projects ready to rise to the challenge of making more secure, privacy-enhancing, interoperable, and usable solutions for everyday identity hurdles. We’ve awarded five projects to streamline and secure online access to state and local government services while we’re awarding a sixth through a partnership with HHS’s Office of the National Coordinator for Health IT to deliver trusted identities in healthcare. In these two important domains, we see the potential for innovation to make critical services more convenient and trustworthy for the consumer while strengthening online service providers’ security.

With that lengthy preamble out of the way, I’d like to introduce you to the six newest members of our family:

Florida Department of Revenue, Child Support Program (Tallahassee, Fla.: $3,550,978)

The Florida Department of Revenue aims to improve identity processes for online access to several Child Support Program applications. The new registration and authentication process will: increase the number of online services available to customers, provide convenience through a single login identity, and improve security by offering customers device registration options. The solution will allow the Child Support Program to increase the efficiency and effectiveness of our services while meeting customer expectations and the growing desire to conduct business more efficiently and effectively through online interactions with government agencies.

Yubico, Inc. (Palo Alto, Calif.: $2,273,125)

Yubico will focus on enabling secure online access to educational resources for students in Wisconsin and to state services for residents of Colorado. In both states, Yubico will deploy FIDO Alliance Universal 2nd Factor-based YubiKeys and use OpenID Connect to develop an ‘identity toolkit’ – with the goal of making the solution as simple to use and deploy as possible.

State of Ohio, Department of Administrative Services (Columbus, Ohio: $2,967,993)

The State of Ohio Department of Administrative Services will implement a range of identity-related capabilities including multi-factor authentication to stronger identity proofing, for three state services. These services include enterprise e-licensing, online filing and payments for businesses in the state, and tax-related transactions with the Ohio Department of Taxation.

Gemalto, Inc. (Austin, Tex.: $2,022,102)

Gemalto will work with departments of motor vehicles to issue digital driver licenses to residents of Idaho, Maryland, Washington, D.C., and Colorado. Gemalto aims to improve the way people conveniently and securely present and prove their identities to business and government entities by offering a digital driver’s license, accessible via a mobile application. The benefits for citizens and relying parties is to be able to present and authenticate a trusted government-issued digital identity via mobile platforms that will facilitate and automate many applications that rely on the physical presentation of identity documents today., Inc. (McLean, Va.: $3,750,000) will work with the City of Austin, Texas, to develop a city level blueprint for increased trust between participants in the sharing economy. The goal of the pilot is to demonstrate a viable model for strong authentication that is acceptable to key stakeholders in the sharing economy and replicable in other municipalities. With the State of Maine, will implement a federated identity model for applications to increase citizen access to benefits and to demonstrate interoperable credentials at the federal and state level.

Cedars-Sinai Medical Center (Los Angeles, Calif.: $999,836)

Cedars-Sinai Medical Center will implement a federated identity, single sign on, multi-factor authentication solution across distinct healthcare systems for patients and providers. The solution aims to simplify patient transition from Cedars-Sinai Medical Center, an acute-care setting, to post-acute care settings, such as California Rehabilitation Institute. Patients and providers will have a single credential on a portal with the purpose of giving them easier access to information to improve quality of care.

We expect each of these projects will make tangible differences in the everyday lives of millions more individuals by providing solutions that simultaneously improve the privacy, security, and convenience of those who use them through more convenient, interoperable, and user-centric approaches. And that they will provide a model for others to continue the remarkable gains of the last five years in pursuit of the NSTIC vision. We can’t wait for the great work that lies ahead.

While we warmly welcome aboard these organizations and their partners to the NSTIC pilots family, we acknowledge the journey ahead. It takes a steady eye down a long road to see through to the goal. We will continue analyzing ongoing challenges and market impediments, and will shift investments toward the prickliest of problems in identity. As we set our sights on the future, here’s to more innovation in the Identity Ecosystem—Citius, Altius, Fortius, and on to the next Olympiad!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

REGISTER NOW: Privacy Controls Workshop on next steps for NIST SP 800-53, Appendix J!

We’re pleased to announce that on September 8, 2016, NIST and the Department of Transportation will hold a technical workshop on the next steps for NIST Special Publication 800-53, Appendix J…and registration is now open! Workshop participation from security and privacy engineers, privacy subject matter experts, and Senior Agency Officials for Privacy (SAOPs) is imperative for this workshop to be a success, so we encourage experts in these areas to register and attend. However, everyone is welcome so please feel free to join us if you are interested in the design of privacy protections in federal information systems.

Should Appendix J evolve in the next revision of the publication? We need your participation and input to get it right. Workshop attendees will explore the effectiveness and challenges of applying the current privacy controls in SP 800-53 and will discuss what adjustments should be made in the publication’s fifth revision.

Facilitated group discussions will cover a variety of topics, including: potential amendments to the privacy control families, broader guidance on the relationship between the privacy and security controls, and the need for additional NIST guidance on the implementation of controls in privacy risk management processes to support more effective privacy programs.

Shortly, we will release a discussion draft addressing each of the primary focus areas for the workshop. With the discussion draft as a starting point, attendees will have an opportunity to provide critical feedback prior to, during, and following this workshop to guide our next steps.

Your input is critical to making this process a success, so don’t forget to register…and stay tuned for an agenda, panelist announcements, and a discussion draft—which we will post on the event page soon.

Attendees can earn a maximum of five CPE credits through the International Association of Privacy Professionals (IAPP) for attending the workshop by simply submitting this form.

Please Note: If you are a U.S. citizen, the registration deadline is Friday, September 2nd at 12pm, EST. If you are not a U.S. citizen, the registration deadline is Monday, August 22nd at 12pm, EST. This event will be in-person; there will be no webcast.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , | 2 Comments

Questions…and buzz surrounding draft NIST Special Publication 800-63-3

Here’s the backstory: You may have noticed that we’ve been getting a wee bit of attention on the proposed deprecation of SMS as an out-of-band second authentication factor in section of draft NIST Special Publication 800-63-3: Digital Authentication Guideline. First, we’re happy to get the attention. Sure, this is a NIST document, but the point of public comment—and our extended public preview of the draft on GitHub—is to make sure the community is a part of creating it. The more eyes the better. The team here at NIST wouldn’t quite say many commenters make lighter work—but they sure do make a better end product.

All that said, accurately communicating information on technical standards can be pretty difficult, so we want to make sure folks know exactly what we mean with this proposal.

Here’s what we mean: There are really two separate changes worth explaining…

First: VoIP and other IP-based services. In today’s Identity Ecosystem, we worry especially about threats that are scalable and threats that can occur remotely. Yes, getting your phone stolen is a threat to all mobile-based two-factor authentication, but the cost to an attacker to steal a password and then steal a phone is much higher than when said swindler can access your accounts from their couch. It takes time and physical mobility, and they have to do the damage before the victim can act—which is typically much quicker when your phone is missing than when they’re remotely in your account.

So while no security approach is perfect, truly tying authentication to a physical device makes a real difference.

These days, not all SMS is a mobile phone-based communication. It’s a beautiful thing about SMS interoperability that we can send a message to a “phone number” without really caring if it’s an SMS, MMS, iMessage, or data message to some other internet service. An SMS sent from a mobile phone might seamlessly switch to an internet message delivered to, say, a Skype or Google Voice phone number. Users shouldn’t have to know the difference when they hit send—that’s part of the internet’s magic.

But it does matter for security. That’s why we’re proposing that federal agencies first verify that the phone number is truly attached to mobile phone. If not (and the user happens to protect her or his VoIP account with a password), the user might now be protecting sensitive personal information with two passwords—that’s two of one factor type (two of ‘something you know’) rather than actual two factor authentication (‘something you know’ and ‘something you have’). So we felt we had to propose ruling VoIP out.

Second: SMS to mobile devices. Let’s move on to the case where we’re confident the SMS is really going to a mobile device.

We’re continually tracking security research on the evolving threat landscape. Following on our approach to limit scalability and remote attacks, security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse. While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn’t have the strength of device authentication mechanisms inherent in the other authenticators allowable in NIST draft SP 800-63-3. It’s not just the vulnerability of someone stealing your phone, it’s about the SMS that’s sent to the user being read by a malicious actor without getting her or his grubby paws on your phone.

Because of the risks, we are discouraging the use of SMS as an “out of band authenticator” — which is, essentially, a method for delivering a one-time use code for multi-factor authentication. This is why we suggest that the use of SMS as a second factor be reconsidered in future agency authentication systems.

But what’s this “deprecated” business all about?

Deprecation is standards-speak for “you can use this puppy for now, but it’s on its way out.” It’s a way of balancing the practicalities of today’s implementations with the needs of the future. While SMS is a popular and convenient option today, the security concerns of SMS as a second factor should be part of agencies’ decisions. Leveraging a SMS to mobile as a second factor today is less effective than some other approaches—but more effective than a single factor. This balancing act is difficult and inherently imperfect, which is why we propose changes to the community and seek comment before making guidance final.

We proposed a deprecation rather than a removal in hopes of increased efficacy for agencies’ investments in upgrading existing systems and building new ones. It’s up to agencies to make the risk-based decisions that best serve their constituents today and future-proof systems for tomorrow.

The market is continually innovating in this space; but so are adversaries. We’re fortunate to have innovators that have given us many authentication options just as convenient, yet more secure, than SMS. We don’t take these decisions lightly, and we’re always looking for better approaches from our stakeholders.

If you think deprecating SMS is a step in the right direction, let us know through our public preview on GitHub. If not, we need to hear from you. If you have another idea, it won’t come to fruition if you don’t share it. In this way we hope to do our part for a better Identity Ecosystem that serves all users and providers of digital services—and these days that covers just about everyone.

Speaking of our GitHub public preview site, we wanted to clear up some confusion…

We have mentioned before that we hope to receive critical comments to draft 800-63-3 and finalize the document by the end of the year (we expect to close the public preview period by September 17, 2016). This approach has many benefits, one of which is to engage experts early in the drafting process so that we can accelerate release of a final publication.

But we’ve heard from many valued stakeholders that think this summer public preview is intended for individuals only—but this is not the case; this document needs organizational input as well (federal agencies: this also goes for you!). To comment as an organization, feel free to create an account representative of your ‘orgname’ or include your organization name in the comment itself. We can even update the issue template to include your organization name if you’d like us to.

Don’t let the term ‘public preview’ stop you. Public means open to all. We introduced this new phase to be as responsive as possible as we engage with the public and private sectors. We’d love a steady stream of substantive comments throughout the open period—so please help us keep things running smoothly and efficiently by submitting your comments as soon as possible. Thank you for your comments and for joining us in this quest to make this document the best it can be!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , | 2 Comments

Calling all 800-63-3 comments!

Have you done your summer reading yet? We’re approaching this summer’s halfway point – which means we’re halfway through the public preview of draft NIST Special Publication 800-63-3: Digital Authentication Guideline. Don’t let the dog days of summer get you down – we still need your feedback and expert opinions! For a refresher on some of the major changes to 800-63-3 and why we’re using GitHub to solicit comments, see our announcement blog.

Screen Shot 2016-07-18 at 10.58.22 AM 800_63 Github issues page

Screenshot of some of the open 800-63-3 GitHub issues we’re combing through – add yours today!

We hope to address comments and finalize this document by the end of the summer, and we expect to close the public preview period by September 17, 2016. We’d love a steady stream of substantive comments throughout the open period, so please help us keep things running smoothly and efficiently by submitting your comments as soon as possible – so it’s not a mad dash for us at the end of the process. Not only do we need time to resolve all open issues, but we also want the stakeholder community to weigh in using GitHub. We will, of course, listen to and account for your feedback no matter what—but the more comments we can get now, the better. To keep track of our plan, you can visit the milestones page to check on our status and if we’ve adjusted any dates (or added iterations).

To everyone who has already contributed to this document: THANK YOU. Your efforts have not gone unnoticed as we work together to enhance digital authentication guidelines and improve the Identity Ecosystem. We don’t take lightly the importance of stakeholder participation for the success of this document.

To everyone else: please head over to the public preview site to submit your feedback today!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , | Leave a comment

Out with the old, in with the new: making MFA the norm

It seems it’s finally multi-factor authentication’s (MFA) time in the limelight. A recent Wells Fargo commercial touts a movement beyond the password with strong authentication. Bank of America enabled passcode-free mobile login with fingerprint. The White House released the Cybersecurity National Action Plan (CNAP), expanding upon Executive Order 13681, with a focus on securing accounts with MFA. Betty White’s on board, too.

The attention is well-deserved – and MFA is here to stay; organizations are implementing and consumers are adopting. lists about 350 websites that support two-factor authentication (2FA, herein mainly referred to as MFA). In 2013, 25% of Americans had used 2FA in the past; but by 2015, this number had increased, as 39% of consumers were using 2FA.

We’ve come a long way. Relying parties (RPs) have recognized MFA’s business and user benefits. Now it’s time to go further: push MFA to the point of ubiquity, focus on consumer preference and the MFA capabilities of their devices, and make MFA sustainable in the ecosystem and economy.

Getting consumers on board

A few user-centric obstacles have prevented MFA from reaching its full potential. The password remains a typical factor in MFA, so consumers still have to remember passwords. In many cases, consumers must type them in from a mobile device – not so fun with long passwords created under complex composition rules. Consumers can have more than a handful of online accounts for accessing bank accounts, health records, email, social media accounts – and the list goes on. Sixty percent of consumers find usernames and passwords cumbersome to use. While the password has its place, simply adding a second factor onto a password scheme isn’t the only way for organizations to adopt MFA.

Plus, many websites and apps issue or implement their own second factor. As organizations develop and deploy stovepiped second factors – like Google Authenticator, SMS, FIDO’s U2F, among other options – we run the risk of overwhelming consumers with an abundance of unique second factors. When accessing accounts from multiple devices, the problem gets worse.

This trend creates an exponential problem where the consumer must remember a variety of combinations: password x with second factor y here, password a with second factor b there. This could put MFA in a bind, where users don’t have access to a second factor when they need it. And RPs may not want to adopt something that adds friction to the customer experience, especially when that second factor affects authentication and authorization in ecommerce transactions.

The good news

Multiple factors are better than one, so we’re thrilled with market adoption over the past few years. Users have access to more options than ever. In many cases, new standards and enhancements to existing ones have made it possible for users to conduct any of the three factors in MFA from a mobile device. In addition, the market for consumer authentication devices continues to grow, allowing RPs to let users bring the second factor of their choice rather than bear the expense of its issuance and management.

RPs can also choose identity federation to onboard more consumers to their services. Federation allows organizations with identity management expertise, and more importantly, access to a large market of existing users, to save RPs the cost and operational burden of identity management by providing them with identity proofing and credential management services. In the end, RPs choosing federation services or letting users bring their own second factor can reduce costs, improve user experience, and enhance security and privacy.

How’s NIST working on this?

For government, the updates in Special Publication (SP) 800-63-3 align with private sector innovation and best practices. Draft SP 800-63-3 recommends MFA for all assurance levels. To facilitate MFA ubiquity, draft SP 800-63-3 encourages market growth, with greater support for mobile devices, new options for the use of biometric authentication, and binding recommendations for RPs that want consumers to feel free to bring their own credential.

Making MFA the norm means players in the ecosystem need to collaborate, innovate, and, in some cases, push the envelope beyond current business practices to cutting-edge service delivery – with a focus on user-friendly solutions. With increasing support for user choice and federation, we are on our way to ensuring that consumers can access their many accounts more conveniently and more securely.

Twitter: @NSTICnpo

We’ve dedicated this month to talking about MFA. For more information, check out our back to basics approach to MFA and our coffee chat with Michael Kaiser, the Executive Director of the National Cyber Security Alliance (NCSA).

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , | Leave a comment

Coffee Chat with Michael Kaiser, Executive Director, National Cyber Security Alliance

Michael KaiserTo get to the core of multi-factor authentication (MFA) and why it’s such an important security feature, we caught up with Michael Kaiser, the Executive Director of the National Cyber Security Alliance (NCSA). Mr. Kaiser graciously sat down with us for our inaugural coffee chat – a new series on the NSTIC Notes Blog. In this series, we’ll hear from various leaders in the identity community as they share unique perspectives—in their own words—on essential identity topics. See our questions and his answers, below.*

About our expert

Michael Kaiser is the Executive Director of the National Cyber Security Alliance (NCSA). Mr. Kaiser joined the NCSA  in 2008. As NCSA’s chief executive, Mr. Kaiser engages diverse constituencies—business, government and other nonprofit organizations—in NCSA’s broad public education and outreach efforts to promote a safer, more secure and more trusted Internet. Mr. Kaiser leads NCSA in several major awareness initiatives, including National Cyber Security Awareness Month (October), Data Privacy Day (Jan. 28) and STOP. THINK. CONNECT., the global online safety awareness and education campaign. NCSA builds efforts through public-private partnerships that address cybersecurity and privacy issues for a wide array of target audiences, including individuals, families and the education and business communities. In 2009, Mr. Kaiser was named one of SC Magazine’s information security luminaries.

What is MFA, and why is it important?

MFA is, most simply, a way of providing additional security by using another factor in addition to your username and password to log in to an account. Multi-factor – sometimes referred to as two-step or two-factor – authentication or verification, can be any number of things: a biometric (such as a fingerprint, eye scan or gesture), a text message with a one-time code sent to your phone, a token that generates a one-time-use password or just your phone itself, because your phone has a unique ID.

MFA is an extremely important emerging way to increase account security. The new forms of authentication are critical to building a safer, more secure and trusted Internet. Logging in with a username and password, the primary way people access online accounts, has been around since the dawn of the Internet. It was never meant to be a primary form of security but has become the key to entry. It doesn’t work for a variety of reasons. In most cases, your username is your email address, which is likely not a secret, and we know a couple of things about passwords. First, they can be stolen whether from hacking into a website or system or using a service that captures consumers’ keystrokes. Second, good password practices require passwords that are long, strong, and unique for all accounts. Time and time again consumers have shown that they choose not to make strong passwords because they are inconvenient and hard to remember. For several years running the most used passwords have included “password” and “1234567.” The bad guys know this, making passwords easy to harvest or guess. MFA adds another layer to the login process that provides significantly more security to your accounts.

What would you say to people who say MFA is too time consuming or inconvenient? Do the benefits outweigh the extra cost?

The benefit of the increased security vastly outweighs the additional effort to implement it. For example, requiring a second factor like a text message to your phone makes it very hard for the bad guys to break into your account unless they have your phone in their possession, and that’s what makes it so much more secure. The time it takes to turn on and use MFA is not significant, and there are ways to make it easier to manage. For example, some of the email applications that use a text message code don’t require you to add the factor every single time; you can set MFA to remember your device, so that you are only prompted to enter a code when logging in from a different device or location or once every 30 days. As time goes on, and the technology improves, it will get easier and more convenient to use this kind of security technology, because it will work more seamlessly with the devices and websites that people are using and/or you’ll be able to use similar techniques across many, many sites and services.

The National Cyber Security Alliance (NCSA) has a few campaigns related to MFA – what are they?

Our primary campaign on this is called Two Steps Ahead, and it really reflects on what we feel – there’s a play on words about using two-step or MFA, but we also believe in a very positive sense that people who implement these technologies to be more secure are actually getting ahead. If a criminal comes across one account that has a username and password only and another account that has a username, a password and MFA, the criminal will be more likely to go after the former because it’s less work for them. The Two Steps Ahead campaign has held events in more than 20 places across the country over the last couple of years, and we’ll be in 15 to 20 cities in 2016. These events are designed to teach people about MFA and how to enable it and share insight on staying safe and secure online.

Additionally, in 2015 we started a social media campaign called #2FactorTuesday, which falls on the first Tuesday of each month. Each #2FactorTuesday, we work with private- and public-sector partners to share events, resources and content related to authentication, aiming to increase the adoption of MFA as a means to protect online accounts.

What are some ways that the average person can incorporate MFA into his or her online routine?

The starting place for anybody is to turn on MFA for your email account. Almost all of the major email providers offer some form of MFA or two-factor authentication service. The reason that consumers should start here is that for any account that uses a username and password, the password reset process normally starts with an email sent to your email address to verify your account. Therefore, if your email account gets hacked because of weak security, you could basically be providing access to all of your other accounts that have password reset as the way to gain reentry.

Additionally, people are concerned about protecting their money, so it’s recommended that you look into the MFA options that your financial institutions may offer or how they may provide enhanced login security.

You can learn more about how to implement MFA on your online accounts by visiting On this page, we provide links to many of the services on the web that already offer MFA or two-step authentication tools for clients and how to enable these features.

* The views expressed in this post do not necessarily reflect the views of NIST or the NSTIC NPO; they are solely the opinions of the experts interviewed.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

Back to Basics: What’s multi-factor authentication – and why should I care?

Here’s the traditional, not so secure way to log in to your bank account: enter your username and that familiar password you probably use for most of your online accounts. Then, you’re in. You can go about your business.

Not so fast! If you’re one of the 54% of consumers who, according to TeleSign, use five or fewer passwords for all of their accounts, you could create a “domino effect” that allows hackers to take down multiple accounts just by cracking one password. The good news? There’s an easy way to better protect your accounts (which contain a lot of personal information) with multi-factor authentication (MFA).

What is MFA?

MFA is quite simple, and organizations are focusing more than ever on creating a smooth user experience. In fact, you probably already use it in some form. For example, you’ve used MFA if you’ve:

  • swiped your bank card at the ATM and then entered your PIN (personal ID number).
  • logged into a website that sent a numeric code to your phone, which you then entered to gain access to your account.

MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.

So look at a simple scenario: logging in to your bank account. If you’ve turned on MFA or your bank turned it on for you, things will go a little differently. First and most typically, you’ll type in your username and password. Then, as a second factor, you’ll use an authenticator app, which will generate a one-time code that you enter on the next screen. Then you’re logged in – that’s it!

MFA B2B Blog Graphic 6_16_2016



In most cases it’s even easier than that. Most MFA approaches will remember a device. So if you come back using the same phone or computer, the site remembers your device as the second factor. Between device recognition and analytics the bank is likely performing—such as whether you’re logging in 20 minutes later from halfway around the world—most of the time the only ones that have to do any extra work are those trying to break into your account.

 So what’s the big deal?

MFA helps protect you by adding an additional layer of security, making it harder for bad guys to log in as if they were you. Your information is safer because thieves would need to steal both your password and your phone. You would definitely notice if your phone went missing, so you’d report it before a thief could use it to log in. Plus, your phone should be locked, requiring a PIN or fingerprint to unlock, rendering it even less useful if someone wants to use your MFA credentials.

Using 2FA is one of the top three things that security experts do to protect their security online, according to recent Google survey. And consumers feel the same way: almost 9 in 10 (86%) say that using 2FA makes them feel like their online information is more secure, according to TeleSign.

 When should I use MFA?

Stopping all online crime is not a realistic goal, but simple steps can massively reduce the likelihood you’ll be the next victim.

You should use MFA whenever possible, especially when it comes to your most sensitive data—like your primary email, your financial accounts, and your health records. While some organizations require you to use MFA, many offer it as an extra option that you can enable—but you must take the initiative to turn it on. Furthermore, if a business you interact with regularly, say your health organization, wants to provide you with convenient online access to health records, test results, and invoices, but only offers a password as a way to protect that data, consider saying: ‘no thanks, not until you provide MFA to secure my information.’

You can find a list of websites that offer MFA here and step-by-step instructions for enabling it for your accounts here. You can even use this browser extension that was created as a result of last year’s National Day of Civic Hacking challenge that we hosted; it lets you know which of the websites you use offer MFA—and makes it easy to call out those that don’t.

It’s simple: turn on MFA today!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , | 1 Comment