Figuring out multifactor authentication

With the release of President Donald Trump’s executive order on strengthening the cybersecurity of federal networks in May, the government now begins the torturous task of bringing its networks into compliance with the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology. And although it was not named in the executive order, there is a renewed focus on NIST’s work with Short Message Service two-factor authentication (SMS 2FA), which began last year.

Back then, NIST proposed deprecating SMS 2FA because of its vulnerabilities as an out-of-band factor in multifactor authentication environments. “Deprecate” is typically used to mean that a technology will be made invalid or obsolete.

“SMS 2FA is widely used for MFA; it has been adopted and is known to users, and any MFA is better than no MFA,” said Paul Grassi, senior standards and technology adviser at NIST. “The term ‘deprecation’ confused people. It wasn’t clear if [SMS 2FA] was disallowed or remained allowed.”

He added that agencies must be aware that there are risks to using SMS for MFA and that they have alternatives.

NIST published an early preview of its proposal and received both praise and negative feedback, Grassi said. In addition, the telecommunications, financial and security industries provided guidance on how to use SMS successfully. Those actions resulted in the four-volume SP 800-63 Digital Identity Guidelines.

“NIST applied the changes and ended up landing on ‘restricted’ rather than deprecated use of SMS for 2FA,” Grassi said. “Restricted means you, the organization, are taking a risk using SMS for 2FA. Users are also taking a risk.”

The organization should offer users an alternative so they don’t have to take a risk, he added, but NIST does not tell federal agencies which authentication factors to use. Instead, it’s important for agencies to consider what flavor of MFA make sense for them and what trade-offs must be factored into those decisions.

Federal security researchers said NIST’s recommendation that agencies avoid relying on SMS delivery of one-time passwords (OTPs) does not mean an end to 2FA.

“There are other approaches that can deliver 2FA — notably push-based OTP, which sends a code to a mobile device usually via a dedicated mobile app,” said Merritt Maxim, a senior analyst at Forrester Research. “But it is cryptographically signed and not delivered via the SMS channel so it avoids the SMS delivery vulnerabilities.”

Google Authenticator is one example of a 2FA mobile app.

DOD’s CAC experience proves instructive

Before Terry Halvorsen retired as CIO of the Defense Department in February, he commissioned a plan for DOD to stop using Common Access Cards as an authentication factor. Although the plan was still a work in progress at the time of his departure, CACs’ lack of agility prompted him to draw some broad conclusions about NIST guidelines, SMS 2FA and MFA.

“DOD and certain federal networks already exceed NIST network security requirements,” said Halvorsen, who is now an executive vice president and CIO at Samsung. “DOD has CAC, PIN and other multifactor authentication methods. 2FA is not a big deal for some parts of federal networks. They’ve already completed this journey.”

Overall, he said he believes there will not be a standard MFA for the federal government and that each agency will instead work with security vendors to find the most effective solution.

“In general, you will move to MFA in conjunction with technology that makes it easy to use,” Halvorsen said. “Certain government agencies will go beyond easy-to-use MFA to leverage their mission. They are moving to get rid of passwords and go to biometrics, voice recognition, facial recognition and behavior-based movement of hands” for authentication.

Although DOD is headed toward MFA, officials will not say which MFA factors to use. Halvorsen said passwords have been supplanted as an authentication factor, however, and could fall out of use entirely. Replacement options could include iris scanners, fingerprint readers, facial recognition and other authentication factors that are becoming easier to use.

“Authentication can use a combination of biometrics, user behavior and cross-referenced user data that is easily available,” Halvorsen said. “For example, say your phone is locating you in Los Angeles, and now there’s a login from Europe. We’re sure it’s not you. Data analytics engines at a high level will authenticate.”

Eventually, Halvorsen said it would be ideal if users were not even aware of authentication activities, and he believes we will not need passwords or challenge questions to authenticate users in the future.

The weakest link in MFA

Federal networks are only as strong as the weakest people accessing them, which makes humans the weak link in security.

“So long as authentication is based primarily on human-defined and -managed passwords, our systems will be compromised,” said Phil Quade, chief information security officer at Fortinet. “Despite persistent training and warnings, passwords are almost always compromised because they are too easy to guess, used for too long — extending the duration of exposure of compromised passwords — and repeated across different accounts, allowing a compromise on one machine to lead to compromises on others.”

Debra Marchese, vice president of information systems at federal contractor UTRS, said, “Everyone is trying to get a handle on how we protect systems. There are different levels of protection. No matter how many layers of security you have, vulnerability [will] always exist if users don’t have good cyber hygiene and don’t have a vested stake in securing systems. If it’s too difficult, people will find a way around security to get their job done. Bottom line: It comes down to end users.”

From her point of view, proper network security must be part of everyday computer use rather than something that is addressed once a year by top leaders. And the only way to do that is to have an appropriate level of investment in people. Unfortunately, Marchese said that approach runs counter to how the federal government arranges its priorities.

The first thing federal agencies take into account is cost. “They’re worried more about cost than people,” she added. “Now we heard that the Obama and then the Trump administrations didn’t want to put funding in place to control the user element. Technical solutions can only go so far.”

Furthermore, MFA methods are not foolproof, and fingerprint readers and retinal scanners having the potential to be “wonky,” Marchese said. However, CAC authentication might not be too burdensome on a trusted computer if administrators post a certificate on the computer every 30 days using Google Authenticator or something similar, she added.

“PINs, fingerprints, biometrics — you can use those, but how do you work through the human factor?” Marchese said. “Sometimes it’s just ignorance on the part of the users because no one explained it so they could understand or be invested in understanding.”

She said people open attachments sent from unknown users via email despite being warned not to. “People still do this even after training,” Marchese added. “But how do you push that down the organization to middle managers [and] the day-to-day workers?” Senior leaders don’t want to be responsible, “but you have to make cyber hygiene part of people’s day-to-day thought process in a non-intrusive way somehow. You’ve got to have layered security. We need layers that don’t break the mission of the agency but also don’t break the security of the network.”

MFA solutions for the federal government cannot be one size fits all, so how an agency implements MFA should depend on the sensitivity of its data and where MFA would be used within the agency’s architecture.

“There are certain places where it may make sense for all agencies to use 2FA,” said Michael Bahar, former minority staff director and general counsel for the House Permanent Select Committee on Intelligence and now a partner at Eversheds Sutherland law firm. “However, it won’t make sense for agencies to always implement MFA in the same way or even for every instance where authentication is required. A layered defense strategy may be useful.”

Authentication factors beyond CACs

With DOD pushing fairly aggressively to eliminate CACs, there are implications for the authentication factors that will be usable replacements. Security experts say soft tokens that feature secure mobile applications (e.g., RSA SecurID) will offer reliable security in the near term.

“For years, the market has produced authentication solutions that offered better security but often at the expense of the user experience,” said David London, a senior director in the security services practice at the Chertoff Group. “For example, two-factor authentication solutions often require users to ‘break stride’ to log in — such as those that not only require a password but also require a user to find a hardware token, copy a number off it and then enter it into an application. As a result, these solutions have had uneven implementation and uptake.”

Instead, commercial tools such as Apple Touch ID or Windows Hello, which are face- or fingerprint-based, could have useful government applications if properly deployed. And most smartphones and laptops now ship with “primitives” built in to deliver strong MFA that allows password-less login experiences that are more secure and easier for the user, said Jeremy Grant, former senior executive adviser for identity management at NIST.

“In these cases, factor 1 is a biometric that is matched on the device and only on the device — it cannot leave it,” said Grant, who is now Venable’s managing director for technology business strategy. “Once matched, it then unlocks factor 2: the private key of a public/private cryptographic key pair that is used to log in the user. There are a number of great options in the market to get this these days, and they don’t mean embracing a full-blown PKI solution.”

PKI: Gold standard for MFA

Whatever the authentication factors available for MFA, the federal gold standard is public-key infrastructure, said Army Col. Tom Clancy, identity and asset management lead in the DOD CIO’s office. That is especially true for hardware PKI. But there are a number of situations in which the technology does not come into play.

“There are a bunch of use cases that were almost exclusively username/password protected,” he said. “Old technology is one — devices or applications that didn’t support PKI.” As an example, he cited privileged users who access servers that don’t support PKI. “That’s a support case for MFA alternatives to PKI.”

Furthermore, DOD’s workforce is becoming increasingly mobile, but phone-based authentication is a challenge. And because the department’s partners in state and local government, nongovernmental organizations and industry do not issue PKI to their personnel, DOD needs other physical authentication solutions.

Commercial MFA tools can play an important role where PKI-based authentication is not supported or readily accessible, said Brandon Iske, the Defense Information Systems Agency’s lead for mobile enablement and the Purebred program, which seeks to put security credentials directly on employees’ mobile devices. He added that the National Information Assurance Partnership certifies devices and hardware that have built-in MFA.

“We’ve been working to identify alternatives to username/password for use cases that cannot implement PKI for two years,” Clancy said. “DOD has approved two alternatives to PKI when PKI is infeasible: RSA SecurID [and] YubiKey.”

Nevertheless, device-based PKI should be used at the appropriate level. And the industry has been improving on the way that devices store PKI certificates to meet advanced assurance levels, he added.

“We don’t need to demand a high-assurance authenticator for public information, but [we should] be diligent for protection of sensitive information,” Clancy said.

The need to know and be cyber-aware

Of course, DOD has some of the country’s most sensitive information, and it should be protected from external and internal leaks. It all comes down to the principle that employees should have access only to the information that is necessary for them to complete their appointed tasks and nothing more.

“The government organization’s access philosophy that is based on ‘need to know’ and ‘need to perform job function’ best supports the password system,” said Carl Herberger, vice president of security solutions at Radware. “Regular reviews of personnel access profiles as well as logical security awareness through education and training are imperative for the maintenance and support of the organization’s access philosophy. While password management is very serious, keep in mind that a password alone will not prevent unauthorized access.”

That means every agency, regardless of size, must create a cyber-aware culture and have a roadmap. Scope, resources and threat potential might impact how the plan is executed, but everything starts with the plan, said Mark Testoni, president and CEO of SAP National Security Services.

“Fostering cultural awareness through cyber education throughout the organization is paramount [because] each individual is a potential entry point of exploitation,” Testoni said. “Cybersecurity among federal agencies should be unambiguous. Agencies should proactively advance employee training programs — a justifiable cost when research shows that the vast majority of all cyberattacks are a result of human error.”