The Biden administration just threw out the industry standards for multi-factor authentication.
Earlier this year the Office of the Management and Budget (OMB) issued a memo with the subject “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles.” This memo laid out the roadmap for implementing a zero-trust architecture for all federal agencies by the end of 2024. This came after the administration released an Executive Order on improving cybersecurity in May of 2021. While this is a welcome move from a security perspective, IT departments will now carry the burden of ensuring that compliance with the new standards is met, and without the appropriate support may find themselves struggling to do so.
According to the order, “For routine self-service access by agency staff, contractors and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, such as protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.” In the simplest terms possible, the U.S. Government is telling its agencies and the rest of the world that it is time to stop using MFA solutions that are susceptible to phishing.
“Many approaches to multi-factor authentication will not protect against sophisticated phishing attacks, which can convincingly spoof official applications and involve dynamic interaction with users. Users can be fooled into providing a one-time code or responding to a security prompt that grants the attacker account access. These attacks can be fully automated and operate cheaply at significant scale.”
What does this mean for many traditional forms of multi-factor authentication currently being used?
This poses an interesting challenge for IT teams because most modern MFA solutions use all of the factors mentioned above. Push-based authentication is a particularly interesting factor to discontinue because it is used by all sorts of popular vendors, like Duo (Cisco) Google, Amazon, and Microsoft: it is the defacto industry standard. When all of those MFA factors are eliminated, only a select few, such as hard tokens, QR codes, and biometrics remain eligible to be used according to the new standards.
This is not an entirely new initiative. The U.S. Government has been encouraging people to avoid SMS and voice call-based MFA ever since it published drafts of Digital Identity Guidelines, NIST Special Publication 800-63, which was finalized in 2017. However, with the significant increase in cyberattacks over the last few years, it is not surprising that the Biden Administration has once again positioned cybersecurity measures as a high priority.
Executive Order 14028 is a welcome one amongst security professionals. The move to a zero-trust architecture is considered by most necessary and long overdue. Studies show that roughly 24% of all data breaches can be attributed to human error and social engineering is no exception to that statistic. In September of 2021, APWG detected 214,345 unique phishing sites in total and said that the number of recent phishing attacks has more than doubled since early 2020.
While EO14028 does make it clear that most current MFA solutions will no longer meet the requirements to be used, that does not mean all MFA is out. The same zero-trust document states, “This requirement for phishing-resistant protocols is necessitated by the reality that enterprise users are among the most valuable targets for phishing…However, agencies’ highest priority should be to rapidly implement a requirement for phishing-resistant verifiers, whether this is PIV or an alternative method.”
What does unphishable MFA look like according to EO14028?
The administration has put an emphasis on strong, phishing-resistant MFA in both its integration and enforcement.
“In this document, “phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.”
“Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.”
The executive order recommends two main courses of action:
- Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.
Centralized identity makes sense as a first step, because it’s a requirement for the other recommendation:
- MFA must be enforced at the application layer, instead of the network layer.
In simple terms, it’s no longer sufficient to check a user’s identity as they log into a workstation or connect to a VPN when signing on in the morning. Each time a user accesses an application, their identity should be re-confirmed.
“Agencies must require their users to use a phishing-resistant method to access agency-hosted accounts. For routine self-service access by agency staff, contractors, and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.”
“This requirement for phishing-resistant methods is necessitated by the reality that enterprise users are among the most valuable targets for phishing.”
The resultant impact of this initiative is that the directive eliminates the most user-friendly features of MFA as it exists currently, which has the potential to cause friction for users. Hard tokens, for example, are expensive and difficult to manage, making them a less than ideal replacement for the other discontinued factors. Employees have a tendency to forget or break their hard tokens and assigning and de-authorizing the tokens puts significant strain on IT teams that are already stretched thin.
Finding the Right Unphishable MFA Vendor
“Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks.”
It is important to keep in mind that while EO14028 applies specifically to government agencies, vendors, and contractors they work with, the guidance provided is something all organizations can benefit from and should be following. Integrating a phishing-proof MFA such as Twosense into an organization's security posture is one proactive way companies can protect themselves from potential attacks. Developed in partnership with the United States Department of Defense, Twosense uses machine learning to drive passive biometrics that can guarantee a user's identity continuously throughout the day. This approach is completely unphishable, as there are no keys or codes that can be handed to an attacker in the event of a phishing attempt. With 3 simple steps, admins can deploy MFA everywhere, on every app, all the time, while simultaneously reducing user friction and transitioning to phishing-resistant MFA.