The U.S. digital economy, including financial institutions, needs stronger authentication and security to succeed. That message comes directly from a detailed plan delivered by the National Institute of Standards and Technology.
“Our reliance on passwords presents a tempting target for malicious actors. Consequently, we are making it too easy for those who seek to do harm, whether they be nation-states, well-organized criminal groups, or online thieves,” the Commission on Enhancing National Security’s maintained in its 100-page “Report on Securing and Growing the Digital Economy,” published by NIST.
The report, which draws on advice from security experts across the U.S. and is the result of 10 months’ research, covers a broad range of information security issues. A key component is how to encourage individuals and companies to carry out basic security measures, especially by preventing unauthorized access to systems and data.
“Many organizations and individuals still fail to do the basics. Malicious actors continue to benefit from organizations’ and individuals’ reluctance to prioritize basic cybersecurity activities and their indifference to cybersecurity practices. These failures to mitigate risk can and do allow malicious actors of any skill level to exploit some systems at will,” the report said.
More precisely, it focused on the hazards of trusting, as numerous systems still do, on the simple username-and-password model for authenticating users. “Strong identity management is key to much of what we do in the digital economy,” it said.
The report pointed out major breaches over the past six years resulted from compromised identity characteristics as main entry point for hackers. In other words, stolen passwords tend to offer the most common route into systems targeted by hackers.
The NIST plan specified the government can catalyze private-sector adoption of the right kind of solutions for consumers in its own citizen-facing applications.
“The private sector will follow the government’s lead if the government sets a high bar—and clears it. Specifically, private-sector organizations, including top online retailers, large health insurers, social media companies, and major financial institutions, should use strong authentication solutions as the default for major online applications.”
Having established the challenges, the report made a series of recommendations covering all aspects of digital security. The imperatives are:
1. Protect, defend, and secure today’s information infrastructure and digital networks.
2. Innovate and accelerate investment for the security and growth of digital networks and the digital economy.
3. Prepare consumers to thrive in a digital age.
4. Build cybersecurity workforce capabilities.
5. Better equip government to function effectively and securely in the digital age.
6. Ensure an open, fair, competitive, and secure global digital economy.
The NIST report cited other important work needed to overcome identity authentication challenges including the development of open-source standards and specifications like those developed by the Fast IDentity Online (FIDO) Alliance.
Organizations complying with FIDO specifications deliver secure authentication technology including mobile phones, USB keys, near-field communications, Bluetooth low energy devices and wearables. “Windows 10 has deployed FIDO specifications (known as Windows Hello) and numerous financial institutions have adopted FIDO for consumer banking.”
NIST also suggested. “The next Administration should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management,” the report said. It added, the next Administration should require that all internet-based federal government services provided directly to citizens require the use of appropriately strong authentication; and direct all federal agencies require the use of strong authentication by their employees, contractors, and others using federal systems.
“Strong authentication, two-factor or multi-factor authentication, immediately shuts off the hackers’ favorite route into someone else’s systems,” cybersecurity firm SecurEnvoy said in a commenting about the NIST report. If the system insists on a second factor for authentication, for example, sending a one-time passcode to the legitimate user’s mobile phone, then a stolen password ceases to be of any use by itself, then a stolen password ceases to be of any use by itself. “The hacker is stopped in his, or her, tracks.”
