Your Step-Up Authentication Compass... NIST & SMS - Finding North

Aug 15, 2016 | by Mathew Long

An estuary is the area where a river meets the sea (or ocean), where fresh water from the river meets salt water from the sea. The fresh draft of the NIST Digital Authentication Guidance (NIST SP800-63B) has been let loose into the salt waters of the public and certainly provoked some conversation of late around SMS. What kind of ripple effect might it have on your step-up authentication methods?

The balancing act of authenticating consumers with the utmost security while ensuring unfettered convenience continues to pose a challenge for organizations as the threat landscape evolves and authentication guidance attempts to keep up. Having a fraud prevention and authentication solution with a robust risk engine, flexible policy controls and a breadth of step-up authentication methods is essential to remaining agile in times of change. Adapting your posture to meet your changing risk appetite is imperative to ensure your clients feel secure and receive what they deserve: a frictionless user experience. When you consider your authentication engine that's driving your consumer's experience, what kind of inherent flexibility helps drive the core of your solution?

When you consider previous adjuncts of crossed waters, pundits suggested that passwords, regardless of complexity and static Q&A were deprecated as security mechanisms and vilified in the media as "dead" or "useless". But even today, greater than 50% of on-line portals are still using those two mechanisms as a form of authentication for consumer users based on their acceptance of risk vs. reward. The question remains - what is your risk appetite?

The RSA Adaptive Authentication risk engine authenticates the majority of end users transparently - only a small subset (2-5%) of users, are asked for additional authentication. When a user is asked for step-up authentication, RSA Adaptive Authentication supports a variety of methods that come with the product or you can integrate your own choice of authentication using the Adaptive Authentication multi-credential framework. Keep the following in mind as you wade through the waters of the SMS deprecation conversation:

  • NIST's Digital Authentication Guideline is in draft form, and focuses on federal agencies implementing digital authentication
    • The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks.
  • Consider the flexibility of your policy controls
    • Matching the level of risk to the login/transaction calls for multiple authentication factors and appropriate risk tolerance thresholds that can be controlled through policy
  • RSA Adaptive Authentication offers a variety of out-of-the-box authentication methods, OOB SMS is only one of them; additional options include:
    • Phone call
    • Biometrics (Fingerprint & Eyeprint) which are considered strong authentication methods
    • One-Time Push notification which is considered more secure than SMS

National Geographic estimates that the oceans rise 3.5mm every year. As water levels rise, there is bound to be impact. As the tides change within the cyber landscape, consider your solution and determine whether it delivers thanks to its core focus on flexibility, choice, and security. Having a solution that can pivot effectively to help you navigate with the times as waters collide is plainly a necessity.

Author: Mathew Long

Category: RSA Fundamentals

Keywords: Adaptive Authentication, Fraud, NIST, SMS