BSidesLV 2016

While we often discuss examples of poor password requirements, it’s also useful to consider a sample set of good requirements and practices. NIST Special Publication 800-63, which defines authentication requirements for Federal Government agencies, is currently being revised and seeks to establish requirements that are aligned with current understanding of threats and user behavior. This talk will discuss the rationale for these changes and opportunities for comment.

As authentication threats have evolved and we have learned more about user behavior, what were considered best practices several years ago are no longer current. For this reason, guidance on user authentication needs periodic revision. NIST Special Publication 800-63, which sets technical requirements for authentication and identity proofing by the Federal Government, is currently in the process of such a revision.

SP 800-63B, subtitled “Authentication and Lifecycle Management”, is a new document dealing specifically with user authentication. It changes the requirements for memorized secrets (passwords) in several ways:
- Emphasis on long, memorable passwords
- No use of composition rules
- No hints and prompts (name of first pet, etc.)
- Use of dictionary of compromised passwords to disallow poor choices
- No arbitrary (e.g., periodic) password changes

Beyond the realm of passwords per se, SP 800-63B also clarifies and strengthens the requirements for two-factor authentication and account recovery. The use of SMS (text messaging) as an out-of-band authentication mechanism has been deprecated due to security issues that have been seen with this technique. Requirements for account recovery have also been strengthened, in an effort to avoid having account recovery act as an authentication back door, particular for two-factor authentication.