Measuring NIST Authentication Standards Compliance by Higher Education Institutions

TL;DR

This study assesses how well higher education institutions in North America adhere to NIST authentication standards, revealing partial compliance and outdated practices, which highlights the need for improved standards adoption.

Contribution

It provides the first large-scale empirical analysis of authentication policy compliance among U.S. and Canadian higher education institutions against NIST standards.

Findings

Widespread adoption of multi-factor authentication

Prevalence of outdated password policies

Partial compliance with NIST standards

Abstract

Technical standards are a longstanding method of communicating best practice recommendations based on expert consensus. Cybersecurity standards are particularly important for informing policies that protect critical systems and sensitive data. Measuring standards compliance is therefore essential to identify vulnerabilities arising from outdated policies and to determine whether expert advice has effectively diffused to practitioners. In this paper, we examine the authentication policies of a diverse set of 135 colleges and universities in the United States and Canada to determine compliance with four standards from NIST Special Publication 800-63 Digital Identity Guidelines. We find widespread, but not universal, deployment of multi-factor authentication across institutions. We also find prevalent outdated use of password expiration, password composition rules, and knowledge-based authentication. These results support further investment and research into incentive structures for standards compliance and the diffusion of expert guidance to practitioners.