What Are the Advantages of MFA for Federal Agencies?
For the federal government, virtually all of agencies’ online services and transactions “require some collection of personal information and require establishing an account,” Temoshok says. “Multifactor authentication greatly increases the security and assurance of online authentication over a network.”
In practice, MFA offers an additional layer (or layers) of protection by using some combination of three factor types:
- Something users know: This includes memorized secret factors such as usernames and passwords. This is the most common form of single-factor authentication. While knowledge-based security is easy to implement, it’s also easy for attackers to compromise via social engineering or brute-force efforts.
- Something users have: This includes physical tokens, ID cards or one-time codes generated by authenticator applications or sent from secure services. This provides an additional layer of protection against compromise since attackers can’t access accounts using knowledge-based
- Something users are: This includes biometric data such as fingerprints, facial recognition and iris scanning. Biometric factors are becoming more popular as mobile device adoption increases.
For Temoshok, effective MFA combines a local factor, such as a memorized secret or a biometric characteristic, with demonstrated possession of the device verified by app-based authentication or one-time code sent to the device. This model helps ensure that secret information remains local rather than being transmitted over the internet.
Why MFA Is the Way Forward for Government
Temoshok puts it simply: “Adoption of authentication is mandatory.”
Informed by both executive order 13681 and the Federal Information Security Modernization Act, NIST is responsible under the law for publishing guidelines around the effective implementation of authentication for federal agencies.
“This is typically done through special publications in the 800 series,” says Temoshok. For example, NIST Special Publication 800-53 covers security and privacy controls for information systems and organizations, while Temoshok’s team is responsible for Special Publication 800-63, “which specifies how organizations are responsible for protecting information both internally and externally to access services.”
Under FISMA, agencies are required to carry out analysis and evaluation of systems against SP 800-53 to ensure baseline controls are established. If these systems are available to the public, meanwhile, then digital identity guidelines also apply. Agencies must evaluate current access policies and processes and determine where they fall on NIST’s threat and risk assessment framework: low, moderate or high.
While agencies conducting low-risk data collection and handling that doesn’t include personally identifiable information can use single-factor authentication, any organization collecting personal data falls into the moderate or high category and must make use of MFA. According to Temoshok, agencies must “evaluate controls and make reports on an annual basis, and these reports are subject to audit by agency inspector generals.”
President Joe Biden’s May 2021 executive order on cybersecurity required agencies to adopt MFA and encryption for data at rest and in transit to the maximum extent possible.
From a functional perspective, the National Security Agency recommends using government-furnished equipment (GFE) wherever possible to reduce the risk of device-level compromise. According to an NSA white paper on selecting MFA solutions, “If GFE is available, it should be used. If GFE cannot be used, NSA recommends a temporary secure operating system such as the publicly-available DOD Trusted End Node Security solution to create a ‘virtual GFE.’”
What’s Next for Government MFA?
When it comes to staff, Temoshok notes that “adoption is not an issue” for federal agencies. Mandatory use of personal identity verification cards (PIVs), which contain both biometric characteristics and personal details, provides straightforward MFA protection for all staff accessing physical buildings and agency networks.
When it comes to the public, meanwhile, the future of MFA is more complicated. “We don’t issue PIVs to the public,” says Temoshok. “In order to have authenticators associated with a proven identity, members of the public need an enrollment account and registration.