Agencies Onboarding Contractors Need More Diverse Authentication Technologies

Why Only Some Agencies Have Implemented MFA

As they embark on their zero-trust journeys, most federal agencies have implemented multifactor authentication for their employees. However, 34 percent have not, according to an August survey commissioned by Okta.

Even with MFA in place, problems can arise. Bad actors look to phishing and other social engineering schemes to bypass multifactor safeguards, with almost 113 million attacks against MFA reported in the first half of 2022, Okta reports. A substantial number of those attacks were aimed at public sector entities.

While PIV cards help keep staff secure, there’s a gap in getting these in the hands of short-term contractors.

“The biggest issue that we've seen with our contractor team is incorporating them, bringing them through the onboarding process,” says JàNelle DeVore, CISO for the Department of Agriculture.

In the past, “we could fill that gap with a user ID and password until they could get a PIV,” she says. But with today’s zero-trust requirements, stronger controls are needed. In particular, agencies need MFA technologies that are immune to social engineering exploits.

“We care about phishing-resistant MFA because it’s well understood in the cybersecurity community, and we have a lot of evidence to demonstrate that it’s perhaps the single most impactful security control that you can put in place to stop adversarial activity,” Dasher says.

READ MORE: How agencies are successfully modernizing of IAM capabilities.

How FIDO2 Is Helping Standardize Authentication

Given the complexity of implementing MFA in support of zero trust, especially with regard to the vast federal contracting population, agencies need to modernize their identity, credential and access management systems.

Fortunately, a range of ICAM technologies are available to support this effort. For example, many agencies also are looking to implement devices that support the latest iteration of Fast Identity Online (FIDO2), a set of open, standardized authentication protocols.

At USDA, “as we move forward to full implementation of the zero-trust authentication requirements, FIDO2 is going to be one of our alternative methods,” DeVore says.

FIDO may take the form of a device, such as a USB stick or security token that plugs in to authenticate the user. It can also be “chips built into devices we buy every day,” says Kenneth Myers, director of the Identity Assurance and Trusted Access Division in the General Services Administration’s Office of Governmentwide Policy. “If you have the latest MacBook or Windows laptop, it has a chip that can leverage FIDO,” as do iPhone and Android devices, Myers says.

“Agencies are starting to use new tools that natively support the FIDO2 authenticators. We see a lot of agencies running pilots to look at these,” he says.

All this potentially adds to ICAM complexity and likely will prompt agencies to go deeper into their efforts to federate identity.

Many Agencies Adopt a Federated Approach to Identity

As agencies shift toward the FIDO standard, they will also look to deploy new ICAM technologies to integrate their applications with these authenticators.

“This tends to include modern identity management and single sign-on platforms, and there are a number of them available from different vendors that support a spectrum of phishing-resistant authentication options,” Dasher says.

Agencies will turn to these tools to help simplify and streamline their ICAM efforts.

“There are so many different systems” within the agency IT architecture, says Tom Suder, founder and president of the Advanced Technology Academic Research Center, a nonprofit organization that provides a collaborative forum for government, academic and industry professionals. “How do you have one system that allows you to access all of those different systems, which all have different credentialing?”

Agencies will need technologies that support a federated approach to identity. Many will use tools like Quest One Identity Manager or Cisco Meraki VMX Enterprise to help consolidate and coordinate their efforts.

With multiple MFA tools in play, agencies will “need be able to integrate all of these different identities. You need to have a federation portal to do that,” Myers says.

Such a portal “uses a standard to pass identity information from one access management tool to another. There are many products that offer federation as a capability, and several agencies are looking at new access management tools that support better federation,” he says.

“Especially when you’re a smaller agency, it’s a lot easier to standardize on one set of tools,” Suder says. With this in mind, “people are using identity and access management tools like Okta to help with federation. Some people use Microsoft for identity because it’s easy: You have your identity in Microsoft, and then you’re going to the Azure cloud.”

Greater federation in ICAM becomes especially important with short-term contractors, who may bring their own technology tools to the job.

“With a full staff member, we have control over the equipment they use, while contractors may be providing a portion of that technology themselves,” Goerlich says. “From an agency perspective, you have less visibility, less oversight and less control.”

DIVE DEEPER: How to implement multifactor authentication without a mobile device.

Is the Next Phase a World Without Passwords?

As agencies seek to federate their ICAM efforts in support of FIDO2, some questions remain unanswered.

“This technology is evolving, but the guidance around it hasn't evolved completely yet,” says Sean Frazier, federal chief security officer at Okta. “Do the contractors use a Windows device, and can they use Windows Hello? Do they use an iPhone, and can they use the web authenticator with the iPhone? All of these things will be made clear in the fullness of time.”

Even as the guidance evolves, some best practices already have emerged.

As a starting point, “CISA offers guidance on phishing-resistant MFA that goes into some detail on the options and the trade-offs that are available. I would encourage people to take a look at that,” Dasher says. He also points to CISA’s SCuBA Hybrid Identity Solutions Architecture guidance, which describes the architectural options for integrating some of these technologies into the existing environment.

For further guidance, Myers points to the Federal ICAM architecture. “It’s a technology-agnostic enterprise architecture that can help agencies integrate these new forms of multifactor authentication within their broader access and identity management architecture,” he says.

Myers also notes that there is government guidance available to help steer agencies as they acquire new technologies and tools in support of MFA.

“If you’re looking for cloud options, definitely go to the Federal Risk and Authorization Management Program marketplace and search for identity and access. You’ll find FedRAMP-approved cloud vendors there,” he says. For on-premises tools, “there are many products. The Continuous Diagnostics and Mitigation Program from CISA has an approved products list that’s available on GSA’s website.”

Click the banner below to receive featured cybersecurity content by becoming an Insider.

As they seek to pivot their MFA strategies, agencies should acknowledge the culture change.

“Government has probably the largest community of people who understand ICAM, but there’s a mindshare battle between the old school and the new school,” Frazier says. “A lot of people have been invested in traditional ICAM, so there’s a culture challenge. There’s a certain belief system, a certain ecosystem and infrastructure that exists around legacy ICAM.”

As they steer toward new approaches, IT leaders will need to take that into account. They’ll also need to ponder new approaches to “proofing,” or validating that the correct recipient is issued or in possession of the MFA credential.

“Every agency is going to be bespoke. They’re all going to do this a little differently depending on their infrastructure, but there are plenty of options there, and it's going to mature over time,” Frazier says. “Most likely, people will rely on existing proofing systems, and then move to more modern, automated proofing systems once those come to fruition.”

Where does all this lead? In the big picture, federal agencies envision MFA ushering in a world without passwords.

“The federal zero-trust strategy states that agencies should move toward a passwordless future, whether that means stop using passwords altogether or stop using knowledge-based factors,” Myers says.

In this vision, “the same authenticators and technology used by long-term staff and contractors can also be used by short-term contractors,” he said. “Agencies no longer have to have separate systems for each group.”