The US Cybersecurity and Infrastructure Security Agency (CISA) is urging all users to adopt multi-factor authentication (MFA) and for CEOs to adopt FIDO as part of their MFA implementation. CISA Director Jen Easterly told an audience at the FIDO Alliance conference that it is time to “forcefully nudge” users into MFA adoption by making it the default setting rather than an option.
Note
- Good to see this position but a two-pronged caution: “Forceful nudging” should only occur after internal testing to make sure both that the authentication approach and apps/devices are all configurated to work together successfully and that backup processes are made resistant to MFA bypass attacks that we’ve seen. These two things are achievable but non-trivial – we will see many early MFA failure stories from deployments that don’t address them up front.
- While we’ve been talking about MFA for a bit, the push to FIDO, an enabling component of password less authentication, represents raising the bar to MFA components which are not so easily spoofed or phished. Don’t try to eat the whole elephant at once; start with your externally exposed applications and entry points and leverage your IDPs capability to conditionally raise the bar on authentication based on risk. Remember to consider collaborators and business partners when rolling out these solutions.
- When the US government states it is pushing for Phishing Resistant MFA, FIDO is an example of that. The problem is many websites do not yet support it, and FIDO often requires a dedicated software or hardware token. Apple, Microsoft, Google, and others’ push to Passkeys greatly simplifies the FIDO implementation for end users, but it’s not yet fully baked and deployed. So while this all sounds great, we are several years out from when FIDO is both simple and widely adopted. More on FIDO / Phishing Resistant MFA at www.sans.org: What is Phishing Resistant MFA?
- Most of the public applications seem to offer at least an option. The problem continues to be within the enterprise, where fraudulently reusable credentials are implicated in breaches.
Read more in
- NEXT LEVEL MFA: FIDO AUTHENTICATION
- CISA Encourages Orgs To Go Further Than MFA, Adopt FIDO Authentication
- US CISA Official: ‘Forcefully Nudge’ Users to Adopt MFA
Alex Lim
Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook
