1. The Authentication Gap: Higher Education's Widespread Noncompliance with NIST Digital Identity Guidelines
- Author
-
Apthorpe, Noah, Beavers, Boen, Shvartzshnaider, Yan, and Frischmann, Brett
- Subjects
Computer Science - Cryptography and Security ,Computer Science - Computers and Society - Abstract
We examine the authentication practices of a diverse set of 101 colleges and universities in the United States and Canada to determine compliance with five standards in NIST Special Publication 800-63-3 Digital Identity Guidelines. We find widespread noncompliance with standards for password expiration, password composition rules, and knowledge-based authentication. Many institutions still require or recommend noncompliant practices despite years of expert advice and standards to the contrary. Furthermore, we observe that regional and liberal arts colleges have generally lower documented compliance rates than national and global universities, motivating further investment in authentication security at these institutions. These results are a wake-up call that expert cybersecurity recommendations are not sufficiently influencing the policies of higher education institutions, leaving the sector vulnerable to increasingly prevalent ransomware and other cyberattacks., Comment: 15 pages, 4 figures, 2 tables
- Published
- 2024