The US Government is Now Requiring Phishing-Resistant MFA: What You Need to Know
On January 26, 2022, the Office of the Management and Budget (OMB) issued a memo with the subject “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles.” This memo sets the groundwork for creating a zero trust architecture for federal agencies, with the goal of meeting this objective by the end of 2024. This is an exciting and necessary move made after the Biden administration released a previous Executive Order on improving cybersecurity.
While this memo is specifically for government agencies and vendors and contractors they work with, the guidance provided is one all organizations should be following and worth reading. The basic tenet of zero trust is “never trust, always verify” and by engaging in this mindset your organization will be able to move from more of a “detection” strategy to more of a “prevention” program.
Three key takeaways from the memo
- All multi-factor authentication (MFA) is NOT created equal: MFA solutions that are password-based are prone to a whole host of attacks because passwords are one of the weakest factors you can use, along with one-time passwords and SMS text messages with codes. The added friction of these factors gives a false sense of security as all of them can be easily hacked.
The memo explicitly states that passwordless MFA is where agencies should be moving to: “Agencies are encouraged to pursue greater use of passwordless multi-factor authentication as they modernize their authentication systems.”
- Phishable MFA factors aren’t going to cut it anymore: The memo states that for “agency staff, contractors, and partners, phishing-resistant MFA is required.” In fact, “phishing-resistant MFA” is mentioned over a dozen times in the memo. One-time codes, magic links, SMS text messages, and push notifications are all able to be phished by bad actors and should not be used anymore.
Adversaries have tools to automate attacks against passwords and other phishable factors at scale. It’s now time to move beyond these insecure factors and move towards secure factors, like biometrics and cryptographic security keys.
- The foundation of zero trust will be built on very strong authentication into every application: By moving to zero trust, it will require solutions that provide cryptographic proof of user identity, and control access to only authorized and secure devices. This is the best way to ensure the identity of users accessing critical resources and preventing malicious actors from entering into networks where they could wreak havoc.
Beyond Identity uses biometrics and cryptographic security keys, the strongest authentication factors available, to provide passwordless, unphishable MFA. Our MFA provides security and protection unmatched by any other MFA solution currently on the market. Learn more about how Beyond Identity works and our passwordless MFA.
Dr. Jasson Casey, Chief Technology Officer at Beyond Identity, said, "The U.S. Government’s move to zero trust architecture is a welcome direction. This is a move organizations outside of government should be adopting as well and will protect their critical infrastructures. The emphasis in the memo on passwordless MFA and phishing-resistant factors is a key step and designed to take away core tactics from state actors.”
He continued, “Sophisticated techniques that start with state actors always make their way into the hands of organized crime, and then eventually solo bad actors. Man-in-the-middle attacks against end users to bypass authentication, even if protected by MFA, are not just an ability of state actors. It is something that syndicates are doing at scale today, particularly in ransomware attacks. So passwordless MFA is the single most important step in stopping ransomware attacks.”
Significant sections in the memo
While the memo is worth a read in its entirety, we pulled the key sections that highlight the changes and new mentality agencies and other organizations will need to adopt as they move to a zero trust architecture.
Definition of zero trust and securing identity and access controls
“The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”
“This strategy places significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication (MFA). Without secure, enterprise-managed identity systems, adversaries can take over user accounts and gain a foothold in an agency to steal data or launch attacks. This strategy sets a new baseline for access controls across the Government that prioritizes defense against sophisticated phishing, and directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied. Tightening access controls will require agencies to leverage data from different sources to make intelligent decisions, such as analyzing device and user information to assess the security posture of all activity on agency systems."
Identity and device is the new security perimeter
“Further, Federal applications cannot rely on network perimeter protections to guard against unauthorized access. Users should log into applications, rather than networks, and enterprise applications should eventually be able to be used over the public internet. In the near-term, every application should be treated as internet-accessible from a security perspective. As this approach is implemented, agencies will be expected to stop requiring application access be routed through specific networks, consistent with CISA’s zero trust maturity model.”
This is a concept we have discussed at length in a series title "Identity is the new Cybersecurity Perimeter."
The pillars of a zero trust model
“This memorandum requires agencies to achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024. These goals are organized using the zero trust maturity model developed by CISA. CISA’s zero trust model describes five complementary areas of effort (pillars) (Identity, Devices, Networks, Applications and Workloads, and Data), with three themes that cut across these areas (Visibility and Analytics, Automation and Orchestration, and Governance).
The strategic goals set forth in this memorandum align with CISA’s five pillars:
- Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.
- Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use, and can prevent, detect, and respond to incidents on those devices.
- Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.
- Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
- Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.”
Emphasis on strong, phishing-resistant MFA in both its integration and enforcement
“In this document, “phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.”
“Strong authentication is a necessary component of a zero trust architecture, and MFA will be a critical part of the Federal Government’s security baseline.”
“Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.
- Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.
- Agencies must use strong MFA throughout their enterprise.
- MFA must be enforced at the application layer, instead of the network layer.
- For agency staff, contractors, and partners, phishing-resistant MFA is required.
- For public users, phishing-resistant MFA must be an option.
- Password policies must not require use of special characters or regular rotation.
- When authorizing users to access resources, agencies must consider at least one device- level signal alongside identity information about the authenticated user.”
“Agencies must integrate and enforce MFA across applications involving authenticated access to Federal systems by agency staff, contractors, and partners.”
“MFA should be integrated at the application layer, such as through an enterprise identity service as described above, rather than through network authentication (e.g., a virtual private network).”
“Approaching an application from a particular network must not be considered any less risky than approaching it from the public internet. Accomplishing this goal in an enterprise means progressively de-emphasizing network-level authentication by its users, and eventually removing it entirely. In mature zero trust deployments, users strongly authenticate into applications, not into the underlying networks.”
“MFA will generally protect against some common methods of gaining unauthorized account access, such as guessing weak passwords or reusing passwords obtained from a data breach. However, many approaches to multi-factor authentication will not protect against sophisticated phishing attacks, which can convincingly spoof official applications and involve dynamic interaction with users. Users can be fooled into providing a one-time code or responding to a security prompt that grants the attacker account access. These attacks can be fully automated and operate cheaply at significant scale.”
“Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks. The Federal Government’s Personal Identity Verification (PIV) standard is one such approach. The World Wide Web Consortium (W3C)’s open “Web Authentication” standard, another effective approach, is supported today by nearly every major consumer device and an increasing number of popular cloud services.”
“Agencies must require their users to use a phishing-resistant method to access agency-hosted accounts. For routine self-service access by agency staff, contractors, and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.”
“This requirement for phishing-resistant methods is necessitated by the reality that enterprise users are among the most valuable targets for phishing.”
Passwordless MFA is encouraged
“Agencies are permitted under current guidance to use phishing-resistant authenticators that do not yet support PIV or Derived PIV (such as FIDO2 and Web Authentication-based authenticators) in order to meet the requirements of this strategy. To the greatest extent possible, agencies should centrally implement support for non-PIV authenticators in their enterprise identity management systems, so that these authenticators are centrally managed and connected to enterprise identities.”
“Agencies are still expected to maintain exceptional procedures for emergency situations and account recovery processes. By their nature, recovery processes represent a potential bypass of standard authentication protocols, and thus can be a significant threat vector if not mitigated. Agency recovery processes should be designed with the expectation that they are exceptional, and require high-friction methods that are costly for an adversary to overcome, such as in-person verification, live video interaction, or other similar methods.”
“Privileged Access Management (PAM) solutions that provide ephemeral single-factor credentials for human access to a system should not be used as a general purpose substitute for multi-factor authentication, or for routine single-sign-on access to legacy systems in place of needed modernization of those systems. However, they are still an important tool for improving the security of high privilege systems that are difficult or infeasible to modernize in the near term.”
“Agencies are encouraged to pursue greater use of passwordless multi-factor authentication as they modernize their authentication systems. However, when passwords are in use, they are a “factor” in multi-factor authentication. If outdated password requirements lead agency staff to reuse passwords from their personal life, store passwords insecurely, or otherwise use weak passwords, adversaries will find it much easier to obtain unauthorized account access—even within a system that uses MFA.”
Aiding the general public with strong authentication options
"This memorandum focuses primarily on the internal enterprise security posture of agencies. However, the security of enterprise and public authentication systems are interconnected. Some Federal systems, such as those that process pre-hire background investigations or the financial information of Government contractors, may be technically public-facing, yet have significant, direct impacts on the operation and security of the Government. In addition, using the same technologies for authentication across both enterprise and public systems fosters interoperability and user familiarity, while improving security across the board."
"Systems serving the general public may not yet be able to rely on phishing-resistant authentication alone in providing users access to online services, as some users of online Government services may have limited access to up-to-date devices and security technologies. At the same time, online public services are a major target for phishing attacks and account takeover, and many users will expect Government services to give them tools they can use to protect themselves. To equitably balance security and usability, public-facing Government systems need to offer users more options for authentication."
"To that end, public-facing agency systems that support MFA must give users the option of using phishing-resistant authentication within one year of the issuance of this guidance. Meeting this requirement for the general public will mean providing support for Web Authentication-based approaches, such as security keys. Agencies may also offer support for authentication using PIV and CAC credentials for agency staff and contractors who are accessing public-facing systems in their personal capacity."