The Government is Here to Help You With Passwords and Authentication
Most people don’t pay a lot of attention to government technical guidance and regulations, which is completely understandable. They’re government regulations, after all. But sometimes, buried deep inside these dense bureaucratic reports, there is some guidance of actual value, and the new authentication guidelines from NIST is one of those rare documents.
NIST is the federal government agency that is responsible for setting technical standards for other government agencies, and companies that do a lot of government work tend to follow those standards as well. A big chunk of what the group does is develop and codify policies and standards for computer security, specifically cryptography and authentication, and NIST has released a new set of proposed Digital Authentication Guidelines that includes a couple of very interesting bits.
The first, and most interesting, piece of new guidance has to do with the use of SMS as an out-of-band channel for two-factor authentication. This has become a very popular method for services to verify users and their devices, but it has a couple of key shortcomings that have led NIST to deprecate SMS for out-of-band authentication. Specifically, the agency said that the risk of texts being intercepted or redirected is a major threat.
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service,” NIST said in its proposed guidance.
“It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”
That is a major shift in policy for NIST and the organizations that follow its lead. Other forms of two-factor authentication or verification have come to the forefront in recent years, but SMS has become the most popular because of its simplicity and ease of use. But there are more secure options, such as dedicated apps that generate one-time codes on the device, that give organizations a higher level of assurance that the correct person is authenticating.
The other big change has to do with how organizations handle passwords and password policy. The NIST guidelines have a long section on password strength, complexity, and expiration, and the agency recommends that organizations not require users to change their passwords on a regular basis. We know users are bad at creating passwords and just as bad at remembering them, so forcing them to create new passwords every 30 or 90 days actually is counterproductive for security purposes. Passwords should be changed usually only if they’re known to be in a dump from a data breach or suspected to have been compromised.
NIST also recommends that organizations not place artificial and arbitrary limits on the length of passwords, as length typically is the best indicator of password strength.
“Users should be encouraged to make their passwords as lengthy as they want. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes,” the guidance says.
Most organizations develop their own password and authentication policies, based on the specific threat models and needs they have. But the new guidance from NIST has sound, logical, and practical advice that organizations would do well to follow.