Measuring NIST Authentication Standards Compliance by Higher Education Institutions

Technical standards are a longstanding method of communicating best practice recommendations based on expert consensus. Cybersecurity standards are particularly important for informing practices that protect critical systems and sensitive data. Measuring standards compliance is therefore essential to identify vulnerabilities arising from continued use of outdated practices and to determine whether expert advice has effectively diffused to practitioners. In this paper, we examine the authentication practices of a diverse set of 136 colleges and universities in the United States and Canada to determine compliance with four standards from NIST Special Publication 800-63-3 Digital Identity Guidelines. These standards have been in place since 2017, pose a relatively low barrier to implementation, yet are substantive revisions from pre-2017 versions, making them an excellent case study for measuring the responsiveness of institutions to updated expert guidance. We find widespread, but not universal, compliance with multi-factor authentication (MFA) standards across institutions. We also find widespread noncompliance with standards for password expiration, password composition rules, and knowledge-based authentication. These results are a wake-up call that many expert cybersecurity recommendations are not effectively reaching practitioners, suggesting a need for alternative outreach strategies, increased investment in education and training initiatives, and an examination of incentive structures that result in noncompliant and insecure practices.