Incorporating Syncable Authenticators Into NIST SP 800-63B was published.
In recent years, as the adoption of Multi-Factor Authentication (MFA) has increased, balancing user convenience and security has become a challenge. MFA is a security method that combines multiple authentication factors, such as passwords, biometrics, and one-time passwords, to prevent unauthorized access to accounts. However, implementing MFA often means extra steps for users. To address this issue, a new authentication technology called Syncable Authenticator, also known as Passkey, has emerged.
Syncable Authenticators allow the synchronization of secret keys used for authentication across multiple devices, enabling users to use the same authentication credentials on any device. This greatly improves convenience. However, sharing secret keys across multiple devices also carries security risks. To address this, the National Institute of Standards and Technology (NIST) has released a supplement to the SP 800-63B guidelines on the secure use of Syncable Authenticators.
Key points include:
- Properly configured syncable authenticators can achieve Authentication Assurance Level 2 (AAL2) by mitigating threats like man-in-the-middle attacks, verifier impersonation, replay attacks, and providing authentication intent.
- The document updates SP 800-63B to allow cloning of authentication keys for syncable authenticators, provided certain requirements are met regarding key generation, storage, and access control.
- Implementation considerations are discussed, including the use of WebAuthn specification flags to determine if an authenticator meets AAL2 requirements. Enterprise use cases may leverage attestation to verify authenticator capabilities.
- Potential threats and challenges of syncable authenticators are outlined, such as unauthorized key use, sync fabric compromise, and revocation difficulties, along with suggested mitigations.
- The document acknowledges the risk of key sharing between users in some implementations and provides guidance for enterprise and public-facing use cases.
Overall, the supplement aims to help agencies make informed risk-based decisions about integrating syncable authenticators, which can provide convenient, phishing-resistant authentication when deployed properly. The supplement offers valuable information not only for security professionals but also for all stakeholders considering the adoption of Syncable Authenticators. The existence of official guidelines from NIST increases confidence in the security of Syncable Authenticators and promotes their adoption. The growth in the number of users will drive further technological innovation. This supplement is considered a significant milestone in the healthy development of new authentication technologies that balance security and usability.