The requirements for multifactor authentication have caused headaches to many organizations in their quest to implement NIST SP 800-171. The initial implementation deadline of the standard was delayed because of the outcry of many contractors based primarily upon the challenges posed by these multifactor authentication requirements. While multi-factor authentication adds security, it can be challenging to implement whether an organization has millions of users or just a few.

One of the biggest problems is that Multifactor Authentication (MFA) isn’t native to many systems or applications, so it must be stapled on top of the systems that are already in place. This means that there is additional cost and the potential for issues associated with the interface between the MFA and what it is supposed to be protecting. To make matters worse, the interface between any separate systems often presents security vulnerabilities.

Multifactor Authentication can help prevent a number of attacks that might steal or simulate passwords. If a hacker could capture the username and password for a network admin account, then they could do great harm within that network. However, if that password was not all that was required for authentication, because of MFA, then there is still hope.

The 3.5.3 requirement says, “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” So, MFA is required under 2 different circumstances:

• Anytime a user is authenticating to a privileged account, or

• Anytime a user is utilizing “network” access to authenticate to any account.

Network access is basically anytime you are not authenticating using the keyboard that is plugged into the computer. Network access would include system access from outside the facility, using remote desktop within the building or authentication through a web interface.

Multifactor Authentication means that a user has to present 2 or more factors to authenticate. The factors are:

• Things that you know, like a password

• Things that you have, like a security token or a cell phone

• Things you are, biometrics like a fingerprint or iris scan

To achieve MFA, the authentication must involve more than one of these factors. Even if you require 10 different passwords for every logon, that still isn’t multifactor authentication, because it is only one factor.

The second requirement within NIST SP 800-171, for multifactor authentication is 3.7.5, which says, “Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.” This requirement doesn’t add much on top of 3.5.3 because those nonlocal connections will also be what 3.5.3 has called “network access”. On top of that, many maintenance sessions will be utilizing privileged accounts so they would already be utilizing MFA after implementation of 3.5.3.

The only part of 3.7.5 which would not be covered by 3.5.3 is the need to, “terminate such connections when nonlocal maintenance is complete.” In many cases, the best method to implement this is to establish a policy that requires users of remote sessions to logoff at the conclusion of their work.

Within a Microsoft Windows environment, passwords (something you know) are the default method of authentication. Microsoft also provides for the creation of a Public Key Infrastructure (PKI) to be established within Windows Servers. This PKI can support the use of cryptographic security tokens (something you have) for authentication.

While this solution can be implemented by using existing Microsoft products and the purchase of the tokens, this solution requires a technical expertise that may be beyond small organizations. The technology at use with this PKI/tokens solution is very sound from a security standpoint. The security technology of this solution is mature and thoroughly vetted.

For easier implementation in a small organization, other, non-Microsoft solutions, may be found easier to put into place. Recently, I was able to set up MFA in small organization in an afternoon using the Duo Security solution (duo.com). This product allows a user’s cell phone to become an authentication device (something you have). This product allows specific users to be set up to require Duo authentication, so a smartphone app prompts for the user to accept the connection. This product offers many different options of how it is used and is available at a very reasonable price. When considering the cost, keep in mind that compliance with the NIST SP 800-171 MFA requirement only requires multifactor authentication on select accounts.

Another option for achieving MFA compliance is through biometrics. While there are many biometric devices available in the marketplace, many lack the integration to make them a simple and reliable implementation. Some of the biometric solutions have published hacks, so care must be taken to select a biometric solution that provides real security. Be thorough about testing before committing to a biometric solution.

As with all aspects of an implementation of NIST SP 800-171, an organization’s MFA solution should enhance the overall security. If an implementation is made with the only consideration being the check off requirements, then the organization is potentially missing out on a great opportunity to achieve better security. Every security-minded IT professional recognizes that cyber-theft, ransomware and data-loss are lurking just outside the building, waiting for an opportunity to get in. This new standard, that we are required to implement, provides many opportunities to improve system security, we might as well take advantage of those opportunities. Correctly utilized, multifactor authentication can be a useful tool for enhancing security.

For more resources and guidance about the implementation of NIST SP 800-171, go to https://nist-sp-800-171.com.