Previously, we wrote about the Biden administration's Executive Order on Improving the Nation’s Cybersecurity, issued last May. Among its provisions, it specifically requires agencies to deploy multi-factor authentication (MFA) technologies to facilitate a Zero Trust architecture. The Executive Order served as a welcome charge to action to align the country’s cybersecurity with industry documented best practices: implementing MFA is one of the strongest deterrents to account compromise. While the mandate did not specify the type of MFA required, it was a significant step in the right direction.
Fast forward to now. On September 8, 2021, the Office of Management Budget (OMB) released a draft Federal Zero Trust Strategy in support of Executive Order 14028. The comment period closed this week. In its draft guidance, the OMB doubles down on the MFA mandate and offers more granularity in regards to criteria for the MFA technology deployed.
The draft specifically requires phishing-resistant MFA for all agency staff, contractors, and partners. It also must be provided as an option in all public-facing systems. The guidance drops the hammer on antiquated MFA technologies such as one-time passwords (OTP), push notifications, and security questions (yes, they are still in use). In fact, it eliminates any technology that is predicated on some sort of shared secret as all of these are susceptible to man-in-the-middle (MiTM) attacks. This parallels recent guidance from the FFIEC and the European Union’s PSD2 requirement for Strong Customer Authentication.
As far as permissible MFA solutions go, the draft document goes on to reference PKI-based Personal Identity Verification (PIV) smart cards, the Web Authentication standard published by the World Wide Web Consortium (W3C) , and other technology that is "verifier impersonation-resistant" as per NIST Special Publication 800-63-3. It further clarifies that Privileged Access Management (PAM) solutions may not be used in place of multi-factor authentication when authenticating human users to a system.
As mentioned, the guidelines call out the W3C Web Authentication standard, commonly known as WebAuthn, which is a core component of the FIDO2 specification. This, along with the FIDO Alliance's Client to Authenticator Protocol (CTAP), combine to provide the full end-to-end passwordless MFA flow. Regular readers of this blog should not be surprised WebAuthn is included in the OMB’s recommendations, as HYPR has long been asserting the phishing resistance of FIDO2 authentication.
Given the OMB’s backing of WebAuthn and the fact that almost all modern browsers support the technology, I would argue it offers the path of least resistance for mandate adherence. It also offers greater flexibility for remote work and other cases that present challenges for use of PIV or CAC cards.
The OMB guidance provides agencies with the flexibility to look for a more modern way to authenticate users through new technology like HYPR’s True Passwordless MFA. HYPR sits on the FIDO Alliance Board of Directors and our technology holds FIDO2-certification. HYPR’s unique, user-initiated MFA provides the highest fidelity authentication, aligning with NIST 800-63B Authenticator Assurance Level 3 (AAL3) requirements.
While phishing-resistant MFA is not the only requirement defined in the Federal Zero Trust Strategy, it is one that HYPR easily solves. There are no shared secrets involved in the entire process, thus nothing to phish or intercept. Moreover, our approach of decoupling identity from authentication means that you can integrate the strongest MFA quickly and consistently across platforms and applications.
To find out how HYPR can help streamline your Zero Trust initiatives, talk to our experts.