Security

Federal Agencies Can Strengthen Identify Verification Methods with MFA

Multifactor authentication, now mandated by an executive order, allows agencies to enhance their security posture and achieve regulatory compliance.

Doug Bonderud

Doug Bonderud is an award-winning writer capable of bridging the gap between complex and conversational across technology, innovation and the human condition.

Multifactor authentication (MFA) is now mandatory for federal agencies handling and collecting citizens’ personal information.

With advanced persistent threats on the rise — and the Cybersecurity and Infrastructure Security Agency adding single-factor authentication to its list of “bad practices” — MFA is the way forward for organizations to both protect personal data and ensure compliance with regulatory directives.

What does this look like in practice? How are agencies currently using MFA, what advantages does it offer and what’s on the horizon for multifactor frameworks?

How Federal Agencies Are Using MFA

According to David Temoshok, senior policy adviser for the Trusted Identities Group at the National Institute of Standards and Technology, the move toward MFA started under President Barack Obama with the National Strategies for Trusted IDs in Cyberspace strategy, developed “to advance the concept of trusted IDs with the public. It emphasized the need for MFA to improve online authentication and protect their accounts to prepare for online and digital services to the public and the government.”

This protective priority was further emphasized by executive order 13681 in 2014. “If the federal government was going to collect and handle personally identifiable information,” says Temoshok, “it needed to be protected through MFA.”

Agencies now use a variety of solutions to enforce MFA policies. For example, the Agriculture Department and the Centers for Medicare and Medicaid Services use Okta for multifactor authentication, the National Institute of Allergy and Infectious Diseases leverages Cisco Duo and the Department of Defense Education Activity is moving to a Microsoft MFA solution in addition to its Common Access Card system for staff.

Click the banner to get access to customized content on cybersecurity by becoming an Insider.

What Are the Advantages of MFA for Federal Agencies?

For the federal government, virtually all of agencies’ online services and transactions “require some collection of personal information and require establishing an account,” Temoshok says. “Multifactor authentication greatly increases the security and assurance of online authentication over a network.”

In practice, MFA offers an additional layer (or layers) of protection by using some combination of three factor types:

Something users know: This includes memorized secret factors such as usernames and passwords. This is the most common form of single-factor authentication. While knowledge-based security is easy to implement, it’s also easy for attackers to compromise via social engineering or brute-force efforts.
Something users have: This includes physical tokens, ID cards or one-time codes generated by authenticator applications or sent from secure services. This provides an additional layer of protection against compromise since attackers can’t access accounts using knowledge-based
Something users are: This includes biometric data such as fingerprints, facial recognition and iris scanning. Biometric factors are becoming more popular as mobile device adoption increases.

For Temoshok, effective MFA combines a local factor, such as a memorized secret or a biometric characteristic, with demonstrated possession of the device verified by app-based authentication or one-time code sent to the device. This model helps ensure that secret information remains local rather than being transmitted over the internet.

EXPLORE: How do granular identity and access management controls enable zero trust?

Why MFA Is the Way Forward for Government

Temoshok puts it simply: “Adoption of authentication is mandatory.”

Informed by both executive order 13681 and the Federal Information Security Modernization Act, NIST is responsible under the law for publishing guidelines around the effective implementation of authentication for federal agencies.

“This is typically done through special publications in the 800 series,” says Temoshok. For example, NIST Special Publication 800-53 covers security and privacy controls for information systems and organizations, while Temoshok’s team is responsible for Special Publication 800-63, “which specifies how organizations are responsible for protecting information both internally and externally to access services.”

Under FISMA, agencies are required to carry out analysis and evaluation of systems against SP 800-53 to ensure baseline controls are established. If these systems are available to the public, meanwhile, then digital identity guidelines also apply. Agencies must evaluate current access policies and processes and determine where they fall on NIST’s threat and risk assessment framework: low, moderate or high.

While agencies conducting low-risk data collection and handling that doesn’t include personally identifiable information can use single-factor authentication, any organization collecting personal data falls into the moderate or high category and must make use of MFA. According to Temoshok, agencies must “evaluate controls and make reports on an annual basis, and these reports are subject to audit by agency inspector generals.”

President Joe Biden’s May 2021 executive order on cybersecurity required agencies to adopt MFA and encryption for data at rest and in transit to the maximum extent possible.

From a functional perspective, the National Security Agency recommends using government-furnished equipment (GFE) wherever possible to reduce the risk of device-level compromise. According to an NSA white paper on selecting MFA solutions, “If GFE is available, it should be used. If GFE cannot be used, NSA recommends a temporary secure operating system such as the publicly-available DOD Trusted End Node Security solution to create a ‘virtual GFE.’”

What’s Next for Government MFA?

When it comes to staff, Temoshok notes that “adoption is not an issue” for federal agencies. Mandatory use of personal identity verification cards (PIVs), which contain both biometric characteristics and personal details, provides straightforward MFA protection for all staff accessing physical buildings and agency networks.

When it comes to the public, meanwhile, the future of MFA is more complicated. “We don’t issue PIVs to the public,” says Temoshok. “In order to have authenticators associated with a proven identity, members of the public need an enrollment account and registration.

Multifactor authentication greatly increases the security and assurance of online authentication over a network.”

David Temoshok Senior Policy Adviser for the Trusted Identities Group, NIST

While single password and PIN is easy, it is also vulnerable to attacks. But there’s public resistance to greater complication, even for secure online transactions. They prefer to keep things the same.”

As a result, NIST permits “restricted authentication,” which uses public-switched telephone networks (PSTNs) to transmit one-time codes for MFA. “While it’s vulnerable,” says Temoshok, “we recognize that it’s much more secure than a single-factor secret.”

“Moving forward, we would like to see adoption across the federal government of stronger authentication that moves toward accepting security tokens as a second factor in authentication, such as the use of a personal secret and a Fast Identity Online ID,” he says.

MFA is here to stay for government agencies. To make the most of multifactor frameworks, however, organizations need to move beyond regulatory obligations to deploy public-friendly processes that enhance security without increasing complexity.

EXPLORE: How do granular identity and access management controls enable zero trust?

BestForBest/Getty Images