Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
CTIA Comments on NIST SP 800-63-3 and NIST SP 800-63B #1614
All Fields Are Required
Organization Name (N/A, if individual): CTIA
Organization Type (see below for codes): 2
Document (63-3, 63A, 63B, or 63C): 800-63-3, 800-63B
Reference (Include section and paragraph number): 184.108.40.206, 2 (800-63B)
Comment (Include rationale for comment):
As a user of information and communications technology and a target of cyber attacks, the government must improve its cybersecurity. NIST plays an important role in improving the security of federal IT. NIST should encourage the government to employ sound mobile device management (“MDM”) practices and basic cyber hygiene. It should also encourage the use of two-factor authentication, including the use of Short Message Service (“SMS”) authentication in appropriate scenarios. Out-of-band authentication using SMS or voice communication through the public switched telephone network (“PSTN”) can be a secure and reliable method of verification. NIST should refrain from broadly discouraging a convenient and ubiquitous method of secure authentication. Discouraging SMS authentication could impede efforts to foster the use of two-factor authentication (“2FA”) at a time when the government faces significant authentication challenges and thereby leave insufficient alternatives.
NIST should not discourage future use of SMS for out-of-band authentication. CTIA appreciates NIST’s decision to remove the term “deprecated” with respect to out-of-band authentication using SMS from SP 800-63B. However, NIST should further modify SP 800-63B to align the Digital Identity Guidelines with NIST’s duty to foster a risk-based, technology-neutral, and data-driven approach to enhancing cybersecurity.
There is insufficient evidence at this time to support removing SMS authentication in future versions of the Digital Identity Guidelines. Existing technology and risk management can mitigate potential vulnerabilities and, as mobile networks evolve, so will SMS security. To the extent NIST makes an evidence-based determination that certain authentication is not appropriate in some federal settings, it should clarify those use cases, and explicitly limit such guidance to those specific federal settings.
NIST should encourage 2FA using all available appropriate tools.
Organization Type: 1 = Federal, 2 = Industry, 3 = Academia, 4 = Self, 5 = Other
Thank you for these thoughtful comments. We know the issue of PSTN-based authentication is extremely important and guidelines around its use can have a large impact our stakeholders, whether agencies, industry, or, most importantly, individuals.
The language on PSTN-based out-of-band authentication has been among the most difficult aspects of this revision. It carries the weight of near ubiquity, both in terms of availability and user familiarity with the workflow. As often the case in technology, that ubiquity is also what makes it a more valuable target with bigger consequences should scalable attacks be successful.
NIST believes we need to make clear to our stakeholders that there is evidence of higher risks than other out-of-band authenticators and provide some requirements to help agencies make informed, risk-based decisions at AAL2 and above.
While PSTN is allowed with appropriate recommended safeguards for common threats (device swap, etc.) there are additional requirements that are meant to provide end users both the opportunity to understand the risks they face, as well as the opportunity to make choices among authenticators. For any authenticator, we always want to see technology innovation outpace threat evolution.
We’ve created a generic category of authenticators that have additional restrictions to their use, and the same restrictions will apply to any authenticator that falls in that category. This is similar to the approach taken in NIST’s guidelines for cryptographic techniques and will allow us to more effectively manage the realities of the dynamic market and threat environment in which agencies operate.
These dynamics present an important difference between how we’re thinking about restricted authenticators relative to restricted cryptographic techniques. Specifically, because the conditions for restricting a cryptographic approach aren’t likely to be “undone” in the future, the cryptographic approach is unlikely to become “unrestricted” in the future. Authenticators, on the other hand, are often a bundle of standards and technologies and may change such that it mitigates threats more effectively. If an authenticator falls in the restricted category, we are always open to removing it from that category if there is evidence of such changes.
You’ll see updates to sections 220.127.116.11 and 18.104.22.168, as well as new sections 22.214.171.124 and 5.2.10.