Key changes:
- No requirement to periodically change passwords.
- Mandatory validation of newly created password against special list of commonly-used, expected, or compromised passwords.
- No requirement to impose password complexity rules (like combination of letters, numbers, and special characters).
- Email is not allowed to be used as 2nd authentication factor in multi factor authentication.
- Voice and SMS are "discouraged" and will be disallowed as 2nd authentication factor.
Here are some excerpts from the draft:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include (but is not limited to):
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context specific words, such as the name of the service, the username, and derivatives thereof.
Verifiers SHOULD NOT impose other composition rules (e.g., mixtures of different character types) on memorized secrets.
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically) and SHOULD only require a change if the subscriber requests a change or there is evidence of compromise of the authenticator.
Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication.
Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.