Go to DBLP homepageThe Authentication Gap: Higher Education's Widespread Noncompliance with NIST Digital Identity Guidelines
Abstract: Technical standards are a longstanding method of communicating best practice recommendations based on expert consensus. Cybersecurity standards are particularly important for informing policies that protect critical systems and sensitive data. Measuring standards compliance is therefore essential to identify vulnerabilities arising from outdated policies and to determine whether expert advice has effectively diffused to practitioners. In this paper, we examine the authentication policies of a diverse set of 135 colleges and universities in the United States and Canada to determine compliance with four standards from NIST Special Publication 800-63 Digital Identity Guidelines. We find widespread, but not universal, deployment of multi-factor authentication across institutions. We also find prevalent outdated use of password expiration, password composition rules, and knowledge-based authentication. These results support further investment and research into incentive structures for standards compliance and the diffusion of expert guidance to practitioners.
External IDs:dblp:journals/corr/abs-2409-00546
Loading