U.S. authorities struggle to keep pace with multi-factor authentication (MFA) that's resistant to phishing attacks

U.S. authorities struggle to keep pace with multi-factor authentication (MFA) that's resistant to phishing attacks

The U.S. federal government is taking a significant step in enhancing cybersecurity by mandating the adoption of phishing-resistant multifactor authentication (MFA) for all federal agencies by October 2024. This move is in line with guidelines from the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA).

Deputy National Security Advisor for Cyber and Emerging Technologies, Anne Neuberger, has made the implementation of MFA a personal priority. She emphasised its importance in protecting sensitive data and stressed that it's a collective responsibility.

CISA Executive Director, Brandon Wales, echoed Neuberger's sentiments, stating that more than a password is needed to stay safe online. He highlighted that MFA is crucial for better data protection against malicious cyber actors, particularly in the face of evolving threats that routinely evade MFA relying on text or email-based one-time passcodes.

The phishing-resistant MFA solutions the federal government is adopting primarily revolve around FIDO/WebAuthn and Public Key Infrastructure (PKI)-based MFA. These methods are resistant to common phishing techniques, such as push bombing and SIM swap attacks, enhancing federal information system security.

According to NIST Special Publication 800-63B, federal agencies must require phishing-resistant authentication for accessing federal information systems. This requires authentication methods that use approved cryptography meeting FIPS 140-1 standards, and at least one authentication factor must be replay-resistant and demonstrate authentication intent at the Authentication Assurance Level 2 (AAL2) or higher.

CISA specifically recommends implementing FIDO/WebAuthn or PKI-based MFA as phishing-resistant MFA solutions to mitigate threats, including those from sophisticated threat actor groups. Vendors providing these solutions to federal agencies undergo stringent clearance, such as FedRAMP authorization.

Federal Chief Information Officer (CIO) Clare Martorana stated that how we prove who we are online is one of the cornerstones of providing a positive, intuitive, and trusted digital experience. Officials from the National Security Council, the Cybersecurity and Infrastructure Security Agency, the Office of the National Cyber Director, and the Office of Management and Budget have all participated in the discussions.

Despite the challenges posed by legacy systems, MFA has evolved to include more accessible protocols, making it easier for government agencies to adopt. However, the adoption and use of MFA by public-sector entities has lagged behind private sector counterparts.

According to cybersecurity expert Chester Wisniewski, within 12 to 18 months, the majority of the hurdles in government agency adoption of MFA should be addressed. He also stated that the MFA mandated by the federal government is almost 100% phish-proof.

However, Wisniewski cautioned that cookies can still be stolen for web apps, which does not entirely solve the identity problem. He also noted that the push for MFA within the federal government is not new, with Brandon Pugh, director of cybersecurity and emerging threats at the R Street Institute, confirming this.

In summary, the federal government’s phishing-resistant MFA by October 2024 centres on FIDO/WebAuthn hardware tokens or software implementations, PKI-based certificates, and cryptographically protected authentication channels in line with NIST and CISA guidelines, enforced across agencies with solutions approved under frameworks like FedRAMP. This move is expected to significantly enhance the security of federal information systems and data.

Enhancing privacy and data protection is crucial for federal agencies, as they implement phishing-resistant multifactor authentication (MFA) to stay safe online, in line with guidelines from the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA). Moreover, the adoption of these phishing-resistant MFA solutions, such as FIDO/WebAuthn and Public Key Infrastructure (PKI)-based MFA, will help federal agencies protect sensitive data against evolving malicious cyber threats.

Read also: