Noah Apthorpe and Boen Beavers, Colgate University; Yan Shvartzshnaider, York University; Brett Frischmann, Villanova University
Technical standards are a longstanding method of communicating best practice recommendations based on expert consensus. Cybersecurity standards are particularly important for informing policies that protect critical systems and sensitive data. Measuring standards compliance is therefore essential to identify vulnerabilities arising from outdated policies and to determine whether expert advice has effectively diffused to practitioners. In this paper, we examine the authentication policies of a diverse set of 135 colleges and universities in the United States and Canada to determine compliance with four standards from NIST Special Publication 800-63 Digital Identity Guidelines. We find widespread, but not universal, deployment of multi-factor authentication across institutions. We also find prevalent outdated use of password expiration, password composition rules, and knowledge-based authentication. These results support further investment and research into incentive structures for standards compliance and the diffusion of expert guidance to practitioners.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Noah Apthorpe and Boen Beavers and Yan Shvartzshnaider and Brett Frischmann},
title = {Measuring {NIST} Authentication Standards Compliance by Higher Education Institutions},
booktitle = {Twenty-First Symposium on Usable Privacy and Security (SOUPS 2025)},
year = {2025},
isbn = {978-1-939133-51-9},
address = {Seattle, WA},
pages = {335--350},
url = {https://www.usenix.org/conference/soups2025/presentation/apthorpe},
publisher = {USENIX Association},
month = aug
}
