The US Cybersecurity and Infrastructure Security Agency (CISA) is urging all users to adopt multi-factor authentication (MFA) and for CEOs to adopt FIDO as part of their MFA implementation. CISA Director Jen Easterly told an audience at the FIDO Alliance conference that it is time to “forcefully nudge” users into MFA adoption by making it the default setting rather than an option.
- Good to see this position but a two-pronged caution: “Forceful nudging” should only occur after internal testing to make sure both that the authentication approach and apps/devices are all configurated to work together successfully and that backup processes are made resistant to MFA bypass attacks that we’ve seen. These two things are achievable but non-trivial – we will see many early MFA failure stories from deployments that don’t address them up front.
- While we’ve been talking about MFA for a bit, the push to FIDO, an enabling component of password less authentication, represents raising the bar to MFA components which are not so easily spoofed or phished. Don’t try to eat the whole elephant at once; start with your externally exposed applications and entry points and leverage your IDPs capability to conditionally raise the bar on authentication based on risk. Remember to consider collaborators and business partners when rolling out these solutions.
- When the US government states it is pushing for Phishing Resistant MFA, FIDO is an example of that. The problem is many websites do not yet support it, and FIDO often requires a dedicated software or hardware token. Apple, Microsoft, Google, and others’ push to Passkeys greatly simplifies the FIDO implementation for end users, but it’s not yet fully baked and deployed. So while this all sounds great, we are several years out from when FIDO is both simple and widely adopted. More on FIDO / Phishing Resistant MFA at www.sans.org: What is Phishing Resistant MFA?
- Most of the public applications seem to offer at least an option. The problem continues to be within the enterprise, where fraudulently reusable credentials are implicated in breaches.
Read more in