Background
In May of 2021, President Biden issued Executive Order 14028 “Improving the Nation’s Cybersecurity,” initiating a sweeping effort to ensure that baseline cybersecurity practices are in place across the federal government, the risks of cloud-based infrastructure are mitigated, and the zero trust architecture (ZTA) principles of NIST SP 800-207 “Zero Trust Architecture” are adopted.
In February of 2022, Acting Director Young of the Office of Management and Budget (OMB) issued Memorandum M-22-09 “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” This set forth a federal ZTA strategy, requiring all agencies to meet specific cybersecurity standards and objectives by the end of federal FY 2024.
Significantly, M-22-09 recognizes that certain forms of multi-factor authentication (MFA) do not provide adequate protection against the increasing scale and sophistication of phishing attacks. Thus, it mandates the adoption of “phishing-resistant” MFA by:
- Requiring phishing-resistant MFA for all “agency staff, contractors, and partners”
- Defining phishing-resistant MFA as methods based on:
- Personal Identity Verification (PIV) credentials
- Derived PIV credentials
- Secure Digital (SD) cards with cryptographic modules
- USB tokens with cryptographic modules
- Embedded hardware or software cryptographic tokens in mobile devices
- Permitting the use of phishing-resistant authenticators that do not yet support PIV or Derived PIV
- Phishing-resistant authenticators, non-PIV and non-Derived PIV
- FIDO2/WebAuthn authenticators
Scope of M-22-09
If your organization falls within the scope of M-22-09, SurePassID urges you to consult with your federal regulator(s) and auditor regarding impacts on users, business functions, and overall compliance.
Phishing-Resistant MFA Defined
Phishing-resistant MFA must render the authentication process resistant to attackers intercepting or tricking users into revealing their access information using phishing attacks, which include spear phishing, smishing, vishing, brute force attacks, man-in-the-middle attacks, replay attacks, and credential stuffing.
Phishing resistance within an MFA mechanism is achieved in four ways:
- Strongly binding the authenticator and user identity so a trust relationship can be established between the parties. Typically achieved through an identity proofing and cryptographic registration process. For example, the U.S. federal government uses such a process to issue a PIV or CAC access card to a user. MFA ceremonies involving that authenticator can be trusted to be solely between the user and the relying party. The most crucial component in the trust relationship is the private key residing on the authenticator, which must be protected from both logical and physical attacks.
- Eliminating shared secrets. Establishing the trust relationship allows for the MFA mechanism to be based on unique public and private keypairs that perform a secure asymmetric cryptographic ceremony. The MFA ceremony can never be performed without the private key, which must be stored in hardware that can be attested and cannot be exported.
- Only responding to trusted parties. Phishing attacks are conducted by non-trusted parties that conceal their true status from users. Authentication solutions must resist verifier impersonation to qualify as phishing-resistant, responding only to valid requests from known and trusted parties.
- Establishing user intent. User involvement is required to both initiate and authorize a login action, which needs to be clearly understood and intended by the user. Authentication requests should only exist as part of an access request that the user initiated.
FIDO2-Based Phishing-Resistant MFA – The Challenges
FIDO2 is a set of industry standards that provide phishing-resistant MFA and which are ultimately intended to support Derived PIV. FIDO2 consists of two components: the WebAuthn specification, which was developed by W3C, and the Client to Authenticator Protocol (CTAP) specification, which was developed by FIDO Alliance. Together these components create cryptographic login credentials that are unique across every application, never leave the user’s device, and are not stored on a server.
To implement FIDO2-based phishing-resistant MFA, an MFA solution such as SurePassID must first be deployed. Then FIDO2 security keys (hardware or software “tokens”) must be bought, distributed, and managed, which significantly increases costs and operational complexities. If the FIDO2 security keys are physical, users may lose or forget their authenticators, generating additional operational complexities and support load on the IT help desk. Furthermore, since FIDO2 is not PIV Derived, additional overhead is required to centralize management of tokens, identity verification, and credential lifecycle.
Problematically, support for FIDO2 is not yet robust. For example, VPN vendors do not natively support FIDO2 (or legacy U2F) in their embedded browsers, instead forcing the adoption of painful workarounds that rely on reconfiguring portals, gateways, and clients to use the local browser, assuming that is even an option. If Android or iOS support is needed, then a Mobile Device Management (MDM) solution must be incorporated for non-BYOD, or a separate portal must be used for BYOD. Similarly, most Linux/UNIX distros also have limited or no support for FIDO2.
SurePassID Guidance to Customers
Implementing phishing-resistant MFA presents a matrix of considerations, such as regulatory requirements, use cases, site limitations, complexity, and cost. Every customer’s matrix will look different, but SurePassID provides the Authentication Server platform, unmatched domain expertise, and outstanding technical support needed to deliver the best solution set. We already support the widest range of open-standard protocols and authenticators, including FIDO2/WebAuthn authenticators – a continuation of the FIDO support we have trailblazed since co-founding the FIDO Alliance.
If your organization is facing a mandate to adopt phishing-resistant MFA, or if you simply want to upgrade the user access security of your enterprise, call SurePassID. We will develop a tailored solution that best addresses your matrix of considerations.
