NIST MFA guidelines

End-user passwords are often the weakest link in IT security, providing the path of least resistance for an attacker looking to penetrate business systems. Users commonly choose easy to remember, and consequently, easy to compromise passwords. In IBM’s Cost of a Data Breach 2020 report analyzing 524 breached organizations, one out of five suffered a breach through stolen credentials.

The password alone is not enough. The National Institute of Standards and Technology (NIST) views multi-factor authentication (MFA) as a critical layer in an organization’s overall cybersecurity posture. In its Digital Identity Guidelines, NIST requires the use of MFA for securing any personal information available online.

NIST MFA best practices

NIST does not approve two authentication factors from the same category. This means that using passwords (something you know) along with security questions (something you know) is not considered MFA. Additionally, security questions are not recognized as an acceptable authenticator, as they are prone to social engineering and compromise.

A common secondary factor for MFA is a numeric code delivered to a mobile device (something you have). The mobile device is known as an out-of-band authenticator. NIST contains very specific guidance related to the delivery of these numeric codes to out-of-band authenticators. The NIST Special Publication 800-63B, section, notes:

“Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication.”

Sending a numeric code to an out-of-band device using an email account is not a safe means to communicate this information. Email accounts can very easily be compromised. If an attacker has already compromised a user’s password, they likely control the user’s email account.

There has also been some controversy over the delivery of numeric one-time passwords via SMS. NIST has created some confusion on this subject among organizations with a bit of waffling on SMS delivery of numeric codes. However, in the same NIST Special Publication 800-63B, it is noted:

“The out-of-band authenticator SHALL uniquely authenticate itself in one of the following ways when communicating with the verifier:

  • Establish an authenticated protected channel to the verifier using approved cryptography. The key used SHALL be stored in suitably secure storage available to the authenticator application (e.g., keychain storage, TPM, TEE, secure element).
  • Authenticate to a public mobile telephone network using a SIM card or equivalent that uniquely identifies the device. This method SHALL only be used if a secret is being sent from the verifier to the out-of-band device via the PSTN (SMS or voice).”
  • If a secret is sent by the verifier to the out-of-band device, the device SHOULD NOT display the authentication secret while it is locked by the owner (i.e., requires an entry of a PIN, passcode, or biometric to view). However, authenticators SHOULD indicate the receipt of an authentication secret on a locked device. If the out-of-band authenticator sends an approval message over the secondary communication channel — rather than by the claimant transferring a received secret to the primary communication channel”

As your organization implements multi-factor authentication, it is vital to use the recommended delivery mechanisms for the second authentication factor, such as avoiding the delivery of numeric codes via email. This should be considered for all systems that requires user verification, including the password reset process.

MFA for password recovery

When a user forgets their password, the password recovery process, whether via a self-service system or the service desk, requires identity verification before issuing a new password. Unfortunately, the way in which users are verified is rarely in compliance with the NIST. Security questions are still commonly used during password recovery, compromising the process altogether.

With a self-service tool like Specops uReset, organizations can enforce true MFA during the password reset process. Specops uReset verifies Active Directory users with a range of authentication factors including their mobile device, and high-trust options like Duo Security, Okta, and Ping ID.

Increasing overall password security

In addition to the MFA guidance, NIST encourages account protection against breached passwords. Specops Software provides organizations with the tools needed to implement breached password protection for Active Directory users. Blocking breached passwords in conjunction with MFA for password recovery drastically increases password security for businesses.

(Last updated on April 29, 2022)

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at

Back to Blog