NIST Multi-Factor Authentication (MFA) Guide for E-commerce Sites Arrives
The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has published a guide to help online retailers implement multi-factor protections to reduce fraudulent purchases.
The effort arrives as technology companies call on MSPs to embrace two-factor and multi-factor authentication (2FA & MFA) to safeguard internal systems and customer systems.
The NCCoE is a public and private partnership working on cybersecurity solutions for specific industries. The 166-page document, entitled Multifactor Authentication for E-Commerce, is intended as a primer to show online retailers that it is possible to implement open standards-based technologies to enable Universal Second Factor (U2F) authentication.
“As retailers in the United States have adopted chip-and-signature and chip-and-PIN (personal identification number) point-of-sale security measures, there have been increases in fraudulent online card-not-present electronic commerce transactions,” the document’s authors (there are six) wrote.
MFA Security Explained
According to the NCCoE report, multi-factor authentication (MFA) is a “security enhancement that allows a user to present several pieces of evidence when logging into an account.” The “evidence” is derived from three sources: something you know, such as a password; something you have, such as a smart card; or, something you are, such as a fingerprint. To enhance security, evidence from two categories must be present, the association said.
To test various methods to deploy MFA, the NCCoE built a laboratory environment to explore ways for online retail environments for the consumer and the e-commerce platform to deploy upgraded identity access. The examples are meant to urge retailers to adopt MFA by using standard, commercially available components and open-source applications. THE NCCoE made it clear that it is not endorsing any particular MFA products.
MFA Security Benefits
Here are the MFA benefits for online retailers, according to the NCCoE:
- Help your organization reduce online fraudulent purchases, including those resulting from the use of credential stuffing to take over accounts.
- Show customers that the organization is committed to its security.
- Protect your e-commerce systems.
- Provide greater situational awareness.
- Avoid system-administrator-account takeover through phishing.
- Implement the example solutions by using the step-by-step guide.