The OMB Requires Phishing-Resistant MFA, Endorses FIDO
Spencer Yezo, Sr. Product Manager, HYPR
3 Min. Read | January 28, 2022
The Executive Order on Improving the Nation’s Cybersecurity, issued in May last year, served as a welcome charge to action to align the country’s cybersecurity with industry documented best practices. Among its provisions, it specifically requires agencies to deploy multi-factor authentication (MFA) technologies to facilitate a Zero Trust architecture. While a giant step in the right direction, the Executive Order notably lacked specifics as far as recommended implementation and technology strategies.
Moving Toward Zero Trust
This week, the Office of Management Budget (OMB) released a memorandum detailing a Federal Zero Trust Strategy in support of Executive Order 14028. In its strategy, titled "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles," the OMB doubles down on the Executive Order’s MFA mandate and its centrality to a Zero Trust architecture. It also provides more granularity regarding criteria for the MFA technology deployed, among its other provisions.
The entire Federal Zero Trust Strategy is available as a PDF here.
The memorandum specifically requires phishing-resistant MFA, integrated at the application layer, for all agency staff, contractors and partners. It also must be offered as an option in all public-facing systems within one year from the memo’s publication. The guidance drops the hammer on antiquated MFA technologies such as one-time passwords (OTP), push notifications, SMS or voice calls. In fact, it eliminates any technology that is predicated on some sort of shared secret as all of these can be attacked at scale using automated tools. This parallels recent guidance from the FFIEC and the European Union’s PSD2 requirement for Strong Customer Authentication.
As far as specific, permissible MFA solutions, the memorandum references PKI-based Personal Identity Verification (PIV) smart cards, and phishing-resistant authenticators based on FIDO2 or the Web Authentication standard, also known as WebAuthn, published by the World Wide Web Consortium (W3C). It further clarifies that single-factor Privileged Access Management (PAM) solutions may not be used in place of multi-factor authentication when authenticating human users to a system.
The Role of FIDO 2 and WebAuthn
The guidelines explicitly call out the FIDO2 specification and the W3C Web Authentication standard. Together with the FIDO Alliance's Client to Authenticator Protocol (CTAP), these provide the full end-to-end passwordless MFA flow. Regular readers of this blog should not be surprised FIDO2 and WebAuthn are included in the OMB’s recommendations, as HYPR has long been asserting the phishing resistance of FIDO-based authentication.
Given the OMB’s backing of FIDO2 and WebAuthn, and the fact that almost all modern browsers support the technology, I would argue this offers the path of least resistance for mandate adherence. It also offers greater flexibility for remote work and other cases that present challenges for use of PIV or CAC cards.
Bring Your Organization into Compliance Faster
The OMB guidance provides agencies with the flexibility to look for a more modern way to authenticate users through new technology like HYPR’s True Passwordless™ MFA. HYPR sits on the FIDO Alliance Board of Directors and our technology holds FIDO2-certification. HYPR’s unique, user-initiated MFA provides the highest fidelity authentication, aligning with NIST 800-63B Authenticator Assurance Level 3 (AAL3) requirements.
While phishing-resistant MFA is not the only requirement defined in the Federal Zero Trust Strategy, it is one that HYPR easily solves. There are no shared secrets involved in the entire process, therefore nothing to phish or intercept. Moreover, our approach of decoupling identity from authentication means that you can integrate the strongest MFA quickly and consistently across platforms and applications.
To learn how HYPR can help streamline your Zero Trust initiatives, talk to our experts.
This post was originally published on September 23, 2021 following the draft guidance issued by the OMB. It has been modified to reflect the OMB’s final guidance, published January 26, 2022.