NIST MFA guidelines: Make sure you’re compliant

End-user passwords are often the weakest link in IT security, providing the path of least resistance for an attacker looking to penetrate business systems. Users commonly choose easy to remember, and consequently, easy to compromise passwords. According to Verizon’s 2025 Data Breach Investigations Report, 88% of web application breaches involved the use of stolen credentials.

The password alone is not enough. The National Institute of Standards and Technology (NIST) views multi-factor authentication (MFA) as a critical layer in an organization’s overall cybersecurity posture. In its Digital Identity Guidelines, NIST requires the use of MFA for securing any personal information available online.

NIST MFA guidelines

Authentication factor categories

NIST outlines that two authentication factors used for MFA must come from different categories. These categories are:

• Something you know (e.g. passwords, PINs)
• Something you have (e.g. mobile device, hardware token)
• Something you are (e.g. fingerprint, facial recognition)

NIST does not approve two authentication factors from the same category. This means that using passwords (something you know) along with security questions (also something you know) is not considered adequate MFA.

Security questions are not acceptable

Security questions are not recognized as an acceptable authenticator, as they are highly susceptible to highly susceptible to social engineering and compromise. As such, you should not use security questions as a form of authentication, even in multi-factor scenarios.

Secure your Active Directory access with MFA for Windows logon, VPN & RDP.

Authenticator delivery methods

A common secondary factor for MFA is a numeric code delivered to a mobile device (something you have). The mobile device is known as an out-of-band authenticator. NIST contains very specific guidance related to the delivery of these numeric codes to out-of-band authenticators. The NIST Special Publication 800-63B, section 5.1.3.1, notes:

“Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication.”

Sending a numeric code to an out-of-band device using an email account is not a safe means to communicate this information. Email accounts can very easily be compromised. If an attacker has already compromised a user’s password, they likely control the user’s email account.

SMS authentication

There has also been some controversy over the delivery of numeric one-time passwords via SMS. NIST has created some confusion on this subject among organizations with a bit of waffling on SMS delivery of numeric codes. However, in the same NIST Special Publication 800-63B, it is noted:

“The out-of-band authenticator SHALL uniquely authenticate itself in one of the following ways when communicating with the verifier:

• Establish an authenticated protected channel to the verifier using approved cryptography. The key used SHALL be stored in suitably secure storage available to the authenticator application (e.g., keychain storage, TPM, TEE, secure element).
• Authenticate to a public mobile telephone network using a SIM card or equivalent that uniquely identifies the device. This method SHALL only be used if a secret is being sent from the verifier to the out-of-band device via the PSTN (SMS or voice).
• If a secret is sent by the verifier to the out-of-band device, the device SHOULD NOT display the authentication secret while it is locked by the owner (i.e., requires an entry of a PIN, passcode, or biometric to view). However, authenticators SHOULD indicate the receipt of an authentication secret on a locked device. If the out-of-band authenticator sends an approval message over the secondary communication channel — rather than by the claimant transferring a received secret to the primary communication channel”

As your organization implements multi-factor authentication, it is vital to use the recommended delivery mechanisms for the second authentication factor, such as avoiding the delivery of numeric codes via email. This should be considered for all systems that requires user verification, including the password reset process.

NIST MFA best practices

To implement multi-factor authentication in a way that aligns with NIST guidelines, organizations should follow these best practices:

• Use authentication factors from two or more categories: Make sure that the authentication factors you use are from different categories. For example, a password (something you know) and a passcode from an authenticator app (something you have). Using a tool like Specops Secure Access can help with this, allowing users to authenticate with biometrics or push notifications with the included Specops:ID mobile app.
• Don’t use security questions as an authentication factor: Security questions are not considered secure by NIST. They are vulnerable to social engineering and should not be used, even as a secondary factor.
• Avoid MFA methods that rely solely on email or VOIP: Email and VOIP are not approved channels for delivering authentication codes, as they do not sufficiently prove possession of the user’s device.
• Use secure out-of-band authenticators: When using a mobile device to receive authentication codes, make sure the one-time password (or similar) cannot be displayed on the lock screen. You should also make sure the device is secured with a passcode or biometric lock.
• Apply MFA across all critical access points: MFA should be implemented not only for standard login, but also for password reset processes, access to privileged accounts, and remote access solutions.
• Select tools that meet NIST’s requirements: Choose authentication solutions that support secure delivery mechanisms and comply with requirements from NIST, as well as with privacy regulations like GDPR and HIPAA.

Meet NIST MFA guidelines with Specops Secure Access

Don’t let outdated authentication methods put your organization at risk. Specops Secure Access makes it easy to align with NIST MFA guidelines by adding a powerful second layer of protection to Windows logon, RDP, and VPN. Secondary authentication options include one-time codes sent to mobile devices, biometric authentication, or hardware tokens.

With flexible authentication options, offline access support, and granular policy control, it’s the comprehensive solution for securing your Active Directory environment. Want to know more? Sign up for a free demo today!