Why Phishing-Resistant MFA Is on US Government Fast TrackStopping Cyberattacks by Moving Away From Password-Based Authentication
In today’s political climate, it's hard for the politicians to come to a consensus, but representatives on both sides of the aisle agree that the government isn't prepared for cyberattacks.
The January memorandum from President Joe Biden's Office of Management and Budget made it clear that cybersecurity is a top concern by mandating a zero trust architecture be in place for all government agencies by September 2024.
The January memorandum from President Biden’s Office of Management and Budget calls for adopting multifactor authentication that includes the verification of device-based security controls, continuous monitoring, and authentication and mandates a switch to phishing-resistant MFA by January 2023.
The administration's guidelines contain everything you'd expect in a zero trust transition plan: the adoption of multifactor authentication, including the verification of device-based security controls, continuous monitoring, and authentication. But not just any MFA will do: The government is mandating a switch to phishing-resistant MFA by January 2023.
Many government agencies employ some type of MFA. But the Biden administration's guidelines call for all agencies to implement stronger security. While legacy MFA is more secure than using a username and password, it assumes that using a second device and adding a second factor improves security. It's not that simple
Most legacy MFA uses a combination of a password and a "something you have" factor. That "something you have" comes into play when implementing the second factor - a one-time code presented by either a physical token, a text message, or an email sent to the user. But adding a secondary device or channel is, at best, much harder to secure and, at worst, impossible to secure. Phishing campaigns can often phish the additional codes or conduct a man-in-the-middle attack on the authentication sequences, as made clear by recent breaches of the companies Uber and Cisco.
The biggest issue, however, is that most MFA solutions rely on shared secrets, like passwords, and provide no security context that ties back to the end user and their device.
The Biden administration deserves credit for moving quickly to address the issue of weak cybersecurity in our nation's institutions. But it does seem as if the memorandum missed an opportunity to remove passwords from the equation.
The Password Remains
Every organization should adopt phishing-resistant MFA sooner rather than later. Hackers regularly defeat legacy security measures with phishing campaigns. But the Biden administration stops short of the one step that could practically eliminate the risk of breaches -getting rid of shared secrets, otherwise known as passwords
The use of shared secrets, a factor attackers can easily breach and bypass, is a critical weak point in the MFA solution. The simple fix is implementing a passwordless, multifactor authentication solution that removes the threat of stolen passwords. Removing shared secrets and anchoring private keys in secure enclaves allows you to eliminate the most common form of initial access used by adversaries of both government and commercial resources.
Government agencies - or any companies looking to adopt zero trust - need to start their zero trust journey by utilizing secure, phishing-resistant MFA that doesn't depend on shared secrets
A Better Alternative
Your valid solution should be phishing-resistant and should improve your end-user experience. This means the phishing-resistant MFA solution must
- Reduce the attack surface of authentication by eliminating shared secrets;
- Guarantee the protection of private keys in secure enclaves;
- Eliminate authentication phishing attacks through automation of the authentication process;
- Protect application and data access by validating the presence of security controls.
Classic authentication factors can still be employed in this model, but they possess better security and usability properties. The secure enclave properties guarantee the possession factor. Also, enclaves can manage access policies to the private keys they store using any combination of local biometrics and local pins. The enclave will only allow credential use if these policies are satisfied locally.
Finally, an unbounded number of new factors can be incorporated that speak to a device's security controls, device or identity past behavior, etc. This phishing-resistant MFA solution improves visibility for the security administrator while enhancing the end-user experience.
The technology already exists to make passwordless, phishing-resistant MFA an easily implemented security solution for most agencies and organizations. And the simple truth is: The longer we wait to move away from password-based authentication, the more attacks will occur. The time to act is now.