NIST SPECIAL PUBLICATION 1800-17
Multifactor Authentication for E-Commerce¶
Risk-Based, FIDO Universal Second Factor Implementations for Purchasers
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B), and How-To Guides (C)
William Newhouse
Brian Johnson
Sarah Kinling
Jason Kuruvilla
Blaine Mulugeta
Kenneth Sandlin
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.1800-17
The first draft of this publication is available free of charge from https://www.nccoe.nist.gov/sites/default/files/library/sp1800/cr-mfa-nist-sp1800-17.pdf
NIST SPECIAL PUBLICATION 1800-17
Multifactor Authentication for E-Commerce
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B), and How-To Guides (C)
William Newhouse
Information Technology Laboratory
National Institute of Standards and Technology
Brian Johnson
Sarah Kinling
Jason Kuruvilla
Blaine Mulugeta
Kenneth Sandlin
The MITRE Corporation
McLean, VA
July 2019
U.S. Department of Commerce
Wilbur Ross, Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Undersecretary of Commerce for Standards and Technology
- Volume B
- 1. Summary
- 2. How to Use This Guide
- 3. Approach
- 4. Architecture
- 5. Solution Scoping for the Example Implementations
- 6. Security Characteristic Analysis
- 6.1. Assumptions and Limitations
- 6.2. Build Testing
- 6.3. Scenarios and Findings
- 6.4. Analysis of the Reference Designs’ Support for Cybersecurity Framework Subcategories
- 6.4.1. DE.CM-1: The Network Is Monitored to Detect Potential Cybersecurity Events
- 6.4.2. ID.RA-4: Potential Business Impacts and Likelihoods Are Identified
- 6.4.3. ID.RA-5: Threats, Vulnerabilities, Likelihoods, and Impacts Are Used to Determine Risk
- 6.4.4. PR.AC-1: Identities and Credentials Are Issued, Managed, Verified, Revoked, and Audited for Authorized Devices, Users, and Processes
- 6.4.5. PR.AC-7: Users, Devices, and Other Assets Are Authenticated (e.g., Single Factor, Multifactor), Commensurate with the Risk of the Transaction (e.g., Individuals’ Security and Privacy Risks and Other Organizational Risks)
- 6.4.6. RS.AN-1: Notifications from Detection Systems Are Investigated
- 6.5. Systems Engineering
- 7. Functional Evaluation
- 7.1. MFA Functional Tests
- 7.1.1. MFA Use Case Requirements
- 7.1.2. Test Case MFA-1 (MFA Not Required)
- 7.1.3. Test Case MFA-2 (MFA Required)
- 7.1.4. Test Case MFA-3 (Failed Login Attempts Detected)
- 7.1.5. Test Case MFA-4 (Accounts Automatically Locked After Failed Login Attempts)
- 7.1.6. Test Case MFA-5 (System Administrator MFA)
- 7.1. MFA Functional Tests
- 8. Future Build Considerations
- Volume C