usnistgov / 800-63-3

Home to public development of NIST Special Publication 800-63-3: Digital Authentication Guidelines
https://pages.nist.gov/800-63-3/
Other
703 stars 102 forks source link

Should phishing and pharming be identified specifically as authenticator risks. #1257

Closed dig-comments closed 7 years ago

dig-comments commented 7 years ago

Organization Name (N/A, if individual): NZ Government

Organization Type: 1

Document (63-3, 63A, 63B, or 63C): 800-63B

Reference (Include section and paragraph number): 8.2 Threat Mitigation Strategies, Table 8-2

Comment (Include rationale for comment): Should phishing and pharming be identified specifically as authenticator risks.

With phishing and pharming, the mitigations are spread across different actors – the user, the online service and the CSP/Verifier. Users practising safe browsing should be alert about unexpected hostnames in URLs generally – not specifically for authentication only.

Suggested Change:


Organization Type: 1 = Federal, 2 = Industry, 3 = Academia, 4 = Self, 5 = Other

jimfenton commented 7 years ago

Phishing and pharming are particularly significant threats during the authentication process because of the potential to reveal an authenticator (in the case of memorized secrets) or an authenticator output to an attacker. Furthermore, their mention highlights the value of, and motivation for, authenticators that provide verifier impersonation resistance.