What is The Consumer Authentication Strength Maturity Model (CASMM), and how do I use it?

If you know anything about internet security then you likely spend a lot of your time helping people improve their password hygiene. This page is an attempt to create an easy-to-use, visual model to help you have that conversation.

How to use this model

The idea is for security-savvy people to help less-knowledgeable users in the following two ways:

1. Show Them Where They Are — The first way to use this model is to simply ask the user about their current behavior and show them where that ranks within these 8 Levels. If you show them they’re down at Level 1 or 2, the combination of seeing how low they are in the chart and the color might convey some measure of concern.
2. Show Them How to Move — Next, show them how to move upwards in the model!

Most non-savvy internet users live at Levels, 1, 2, and 3. This group gets the most benefit by moving from there to Level 4, which is to get all their major accounts enrolled into a Password Manager like 1Password or LastPass. This means using the password manager to create new, secure passwords, and then changing the passwords for those services.

The next biggest jump is to go from Level 4 to level 5 or above, which is the transition from Password Only to Multifactor Authentication (MFA). That transition is the most important thing at that stage, so even moving from Level 4 to Level 5 is a major improvement!

Once at Level 5, the goal should be to get out of Level 5 and into 6, 7, or 8. This is because Level 5 (text/SMS-based MFA) is by far the weakest form of MFA in the model.

Once you get to Level 6 (App-based MFA codes) the main weakness you have is the creation and handling of the MFA codes themselves. This means a code is sent to you somehow, which you must then pass on to the service in order to authenticate. This is bad because it still leaves the door open for attackers to steal that token through phishing and vishing (voice-based phishing).

You can’t phish MFA codes that don’t exist!

In fact, many malware and phishing packages are now including not only fields to capture someone’s username and password, but also their MFA code as well. And if you’re an unsophisticated user, you’re just as likely to give away your MFA code as you are your password.

This is why the final stage of improvement lies at Levels 7 and 8. At that stage, there are no MFA Codes to steal! At these two levels, MFA authentication takes place transparently in the background, in a cryptographically secure way that never involves the user. And since the user never sees a code, that code cannot be stolen.

At the final levels, and specifically at Level 8, there is an additional protection in that the authentication requests can only be sent to a specific URL that was registered when the authentication method was established. In other words, if I set up Level 8 authentication (like WebAuthn) with Gmail, then when I authenticate with my FIDO2 token, or my operating system, the authentication in the background can only be sent to Gmail.

Summary

1. CASMM is a visual reference designed to help security-minded people help their less savvy friends, family, and colleagues secure themselves.
2. The most security improvement one can get is by moving from any Level 3 and below to using strong, unique passwords managed by a Password Manager (Level 4).
3. You get increasingly strong authentication as you move from 4 –> 5 and above, from 5 –> 6 or 7, and then finally from 7 –> 8.
4. Don’t skip Step 4. It’s best to make the move to unique, quality passwords stored in a manager before you add 2FA, and then try to move as high as possible within Levels 5-8.

I hope this helps you or someone you care about!