A naukri.com initiative
Kaspersky
1w
171
Image Credit: Kaspersky
New 2024 NIST requirements for password strength and storage
- New 2024 NIST requirements have been outlined regarding password strength and storage.
- The online services' user verification procedures, including password length, phone number input, and biometric checks, are mostly regulated by industry standards, the NIST SP 800-63 Digital Identity Guidelines being among the most significant.
- The recent update addresses security and privacy requirements of the guidelines and covers a possible distributed (federated) approach.
- It defines three Authentication Assurance Levels (AALs), and allows single-factor authentication only at the least restrictive level–AAL1 out of AAL3.
- Compromised passwords must be forgotten and reset immediately. The new NIST guidelines prohibit the imposition of password composition requirements.
- It’s suggested that all access levels implement MFA, but it’s mandatory for AAL2 and only phishing-resistant MFA methods are acceptable for AAL3.
- To ensure resistance to phishing, authentication must be tied to the communication channel (channel binding) or verifier service name (verifier name binding).
- The standard puts limits on biometric input rates and the number of unsuccessful attempts.
- Biometric checks may serve as an authentication factor combined with proof of possession, but are prohibited for identification.
- Biometric equipment algorithms must be resistant to presentation attacks, which attempt to use photos or videos.
Read Full Article
10 Likes
For uninterrupted reading, download the app