Why Only Some Agencies Have Implemented MFA
As they embark on their zero-trust journeys, most federal agencies have implemented multifactor authentication for their employees. However, 34 percent have not, according to an August survey commissioned by Okta.
Even with MFA in place, problems can arise. Bad actors look to phishing and other social engineering schemes to bypass multifactor safeguards, with almost 113 million attacks against MFA reported in the first half of 2022, Okta reports. A substantial number of those attacks were aimed at public sector entities.
While PIV cards help keep staff secure, there’s a gap in getting these in the hands of short-term contractors.
“The biggest issue that we've seen with our contractor team is incorporating them, bringing them through the onboarding process,” says JàNelle DeVore, CISO for the Department of Agriculture.
In the past, “we could fill that gap with a user ID and password until they could get a PIV,” she says. But with today’s zero-trust requirements, stronger controls are needed. In particular, agencies need MFA technologies that are immune to social engineering exploits.
“We care about phishing-resistant MFA because it’s well understood in the cybersecurity community, and we have a lot of evidence to demonstrate that it’s perhaps the single most impactful security control that you can put in place to stop adversarial activity,” Dasher says.
How FIDO2 Is Helping Standardize Authentication
Given the complexity of implementing MFA in support of zero trust, especially with regard to the vast federal contracting population, agencies need to modernize their identity, credential and access management systems.
Fortunately, a range of ICAM technologies are available to support this effort. For example, many agencies also are looking to implement devices that support the latest iteration of Fast Identity Online (FIDO2), a set of open, standardized authentication protocols.
At USDA, “as we move forward to full implementation of the zero-trust authentication requirements, FIDO2 is going to be one of our alternative methods,” DeVore says.
FIDO may take the form of a device, such as a USB stick or security token that plugs in to authenticate the user. It can also be “chips built into devices we buy every day,” says Kenneth Myers, director of the Identity Assurance and Trusted Access Division in the General Services Administration’s Office of Governmentwide Policy. “If you have the latest MacBook or Windows laptop, it has a chip that can leverage FIDO,” as do iPhone and Android devices, Myers says.
“Agencies are starting to use new tools that natively support the FIDO2 authenticators. We see a lot of agencies running pilots to look at these,” he says.
All this potentially adds to ICAM complexity and likely will prompt agencies to go deeper into their efforts to federate identity.