Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

As organizations begin their journey to comply with the NIST Framework, more and more of them are implementing multi-factor authentication (MFA) to protect their digital infrastructure. 

The National Institute for Standards and Technology (NIST) has been drafting new rules regarding protecting the identify of those in organizations that are adopting or have already adopted the NIST Framework. Organizations are moving away from password complexity such as symbols and numbers and opting to NIST's user friendliness with strong encryption standards and multi-factor authentication when involving sensitive information, or CUI (like in DFARS Compliance).

NIST has done a great job of being thorough with its guidelines for digital security - including threat-mitigation strategies, and trusted password regulations. NIST comes at this from the angle that making users' within these organizations lives simpler and more robust in their password security to strengthen password protection overall. NIST guidelines include details on multi-factor identification (MFA), or two-factor authentication (2FA), which is becoming more and more common. The user must demonstrate at least two of "something you know" such as a password, "something you are" such as a fingerprint, "something you have" such as a code sent to your phone via app. 

What's the Deal With SMS 2FA?

Last year, NIST proposed deprecating SMS 2FA because of vulnerabilities as an out-of-band factor in multi-factor authentication environments. “SMS 2FA is widely used for MFA; it has been adopted and is known to users, and any MFA is better than no MFA,” said Paul Grassi, senior standards and technology adviser at NIST. “The term ‘deprecation’ confused people. It wasn’t clear if SMS 2FA was disallowed or remained allowed.” NIST published a proposal, and the telecommunications, financial and security industries provided guidance on how to use SMS successfully, resulting in the four-volume SP 800-63 Digital Identity Guidelines. NIST applied these changes and fell under 'restricted' - that organizations or users would be taking a risk using SMS 2FA.

Federal security researchers implore that even though SMS delivery of one-time passwords is 'restricted' under NIST, that doesn't mean organizations should avoid using 2FA. In fact, there are other approaches, for example push-based OTP (sending a code to a mobile device via app such as Google Authenticator), which is cryptographically signed and not delivered via the SMS channel, avoiding those vulnerabilities. NIST doesn't tell federal agencies which authentication factors to use, but it is understood that agencies will have to choose a MFA method that fits their organization.

“Authentication can use a combination of biometrics, user behavior and cross-referenced user data that is easily available,” Halvorsen, Samsung CIO said. “DOD has CAC, PIN and other multifactor authentication methods. 2FA is not a big deal for some parts of federal networks. They’ve already completed this journey.”

Moving from complex passwords to MFA is highly recommended and will strengthen your organization's cybersecurity posture as you measure yourself against a nationally recognized security framework. CyberSaint includes MFA for our platform and specializes in helping you find the roadmap to a stronger cybersecurity posture, managing that posture from one pane of glass.

Contact us on our homepage or email info@cybersaint.io with any questions or for more information.  

Read the source article here.

You may also like

Putting the “R” back in GRC - ...
on October 22, 2024

Cyber GRC (Governance, Risk, and Compliance) tools are software solutions that help organizations manage and streamline their cybersecurity, risk management, and compliance ...

October Product Update
on October 17, 2024

The team at CyberSaint is thrilled to announce the latest additions and updates to the CyberStrong solution. To start off, we’ve made it easier to create an assessment and risk ...

Transforming Cyber Risk ...
on October 12, 2024

In today’s complex cyber landscape, managing risks effectively isn’t just about identifying threats—it’s about understanding their impact and knowing how to prioritize ...

Step-by-Step Guide: How to Create ...
on September 23, 2024

Cyber risk management has become more critical in today's challenging digital landscape. Organizations face increased pressure to identify, assess, and mitigate risks that could ...

From Fragmentation to Integration: ...
on September 17, 2024

Organizations are often inundated with many security threats and vulnerabilities in today's fast-paced cybersecurity landscape. As a result, many have turned to point ...

How to Create a Comprehensive ...
on September 9, 2024

Cyber threats are becoming more frequent, sophisticated, and damaging in today's rapidly evolving digital landscape. Traditional approaches to cyber risk management, which often ...