Complying with Cybersecurity Executive Order Zero Trust, MFA Mandate

The Executive Order on Cybersecurity mandates that agencies deploy MFA by November to enable a Zero Trust architecture.

The Executive Order on Improving the Nation’s Cybersecurity, issued by President Biden on May 12, 2021, signaled what might be a turning point in cybersecurity. Among its far-reaching provisions, it requires all federal government agencies to follow a Zero Trust architecture and employ multi-factor authentication (MFA), amounting to a de facto endorsement of these models by the administration.

The Executive Order follows multiple major cyberattacks on critical US infrastructure including the Colonial Pipeline and SolarWinds attacks. The order aims to protect against and mitigate damage from future such attacks by strengthening and modernizing the cyberdefenses of Federal networks and organizations that do business with the government. 

What Is a Zero Trust Security Model?

As the name implies, the Zero Trust model takes a “never trust, always verify” approach to information and system protection. The rally around Zero Trust has steadily grown over the past decade but the term gained more marketing buzz than adoption as a best practice until the National Institute of Standards and Technology (NIST) published its NIST-800-207 guidelines on Zero Trust architecture.

Zero Trust abolishes the concept of a secure network perimeter. Instead it assumes that any user, device or service could be compromised and must be rigorously authenticated, authorized and continuously verified before being granted access to enterprise applications and data.

The Role of MFA in Zero Trust

With no trusted perimeter, identity assurance becomes a basis of trust, making strong authentication critical to a Zero Trust architecture. By singling out multi-factor authentication (MFA), the Executive Order acknowledges the inadequacy of legacy authentication systems that rely on knowledge-based factors (shared secrets such as passwords, PINs and security questions known to the user and service).

The “new” Zero Trust MFA mandate mirrors advice security experts have been shouting for years. Hacked or stolen credentials lead to the vast majority of breaches, creating an unacceptable level of risk. The Colonial Pipeline attack boosted awareness on this front — the entry point for the crippling ransomware was traced to a single compromised password.

Rather than relying on a knowledge factor to establish trust in users, MFA methods require at least one additional factor, making them far more secure than single-factor authentication such as a password. These other factors fall into two categories: what a user has (i.e., hardware token, OTP code, mobile device), or who they are (i.e., face, voice, fingerprint scan).

Agencies must fully adopt multi-factor authentication within 180 days of the order date, which means a deadline of November 8, 2021.

Not All MFA Is Created Equal

The Executive Order does not specify an MFA method, resulting in that aspect being vague. This does, however, leave plenty of room for evolution in a space that sorely needs it.

Federal agencies had already required employees and contractors to use PKI-based Personal Identity Verification (PIV) and Common Access Cards (CAC) to access physical and IT resources. These forms of MFA, however, proved problematic during the height of the COVID-19 shutdown. They rely on an in-person identity proofing process and specialized hardware that interact with the identity cards, which many federal workers and contractors lacked at home.

The Executive Order MFA mandate essentially gives approval for other multi-factor authentication methods when use of a PIV card or CAC is unfeasible. The lack of specificity brings welcome flexibility for agencies and other organizations but lip-service compliance could seriously undermine the order’s intent.

Under Zero Trust, MFA becomes the gatekeeper, and the strength of that gatekeeper affects the security of the entire Zero Trust architecture. MFA methods that use a password as one of the authentication factors should be dismissed out of hand. With 1.5 billion credentials floating on the dark web, password-based MFA is rendered a single-factor mechanism.

Other types of multi-factor authentication credentials can be intercepted in man-in-the-middle (MiTM) attacks, obtained by phishing, SIM swapping, bypassed with push attacks or stolen from centralized repositories.

FIDO-Based Passwordless MFA

Like the PIV and CAC standards, the most secure MFA methods on the market leverage public key cryptography so that there is no central database of stored credentials that can be compromised. The FIDO (Fast Identity Online) specification defines a set of protocols for simpler, stronger passwordless user authentication. This makes it possible to deploy strong PKI-based MFA beyond the traditional boundaries of the enterprise. NIST is a FIDO Alliance member and multiple NIST guidelines reference FIDO standards. Specifically, FIDO Authentication aligns with the highest level Authentication Assurance Level 3 in NIST 800-63B.

Beyond higher assurance levels and greater security, passwordless MFA holds other advantages over its password-based, PIV/CAC and security token counterparts. Passwordless also speeds up the authentication process, boosts productivity and reduces helpdesk and IT costs.

Accelerate Your Zero Trust MFA Compliance

HYPR's passwordless MFA helps organizations implement Zero Trust principles the right way, with user-initiated authentication that meets the strongest standards. It turns an off-the-shelf smartphone into a FIDO token, to prevent phishing, fraud, MitM and other credential attacks. Login is seamless and instant and shared secrets never enter the process.

To find out how HYPR can help streamline your Zero Trust initiatives, talk to our experts.