Over the past several months, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has been working on a cybersecurity project involving multifactor authentication to help retailers reduce the risk of online fraudulent purchases.  

​

The NCCoE is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity challenges. The NCCoE has just released draft practice guide NIST Special Publication 1800-17, Multifactor Authentication for E-Commerce. 

​

The guide explores several risk-based scenarios that use multifactor authentication to increase assurance of purchaser identity and reduce fraudulent online purchases. Both standards and best practices were used to develop two reference designs leveraging commercially available technologies. The guide also maps capabilities to NIST guidance and control families, including the NIST Cybersecurity Framework.

​

This practice guide demonstrates how commercially available technologies, like TokenOne Authentication can be integrated with existing tools (such as Magento or other e-commerce platforms) to secure high risk transactions such as administrative access.*

To complete this guide, the NCCoE collaborated with other technology vendors, including RSA, Splunk, StrongKey, and Yubico.*

​

The NCCoE believes the guide helps meet a critical cybersecurity and economic need, but we want to hear from you. Please share your thoughts on this step-by-step guide to enhance it. Download the draft guide and provide your feedback on the NCCoE comment page. The public comment period closes on October 22, 2018.

​

*While the example implementation uses certain products, NIST and the NCCoE do not endorse these products. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within with their organization’s existing tools and infrastructure.