Figuring out multifactor authentication

With NIST now restricting the use of Short Message Service, what are the authentication options for federal agencies?

Shutterstock image: digital fingerprint.

With the release of President Donald Trump’s executive order on strengthening the cybersecurity of federal networks in May, the government now begins the torturous task of bringing its networks into compliance with the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology. And although it was not named in the executive order, there is a renewed focus on NIST’s work with Short Message Service two-factor authentication (SMS 2FA), which began last year.

Back then, NIST proposed deprecating SMS 2FA because of its vulnerabilities as an out-of-band factor in multifactor authentication environments. “Deprecate” is typically used to mean that a technology will be made invalid or obsolete.

“SMS 2FA is widely used for MFA; it has been adopted and is known to users, and any MFA is better than no MFA,” said Paul Grassi, senior standards and technology adviser at NIST. “The term ‘deprecation’ confused people. It wasn’t clear if [SMS 2FA] was disallowed or remained allowed.”

He added that agencies must be aware that there are risks to using SMS for MFA and that they have alternatives.

NIST published an early preview of its proposal and received both praise and negative feedback, Grassi said. In addition, the telecommunications, financial and security industries provided guidance on how to use SMS successfully. Those actions resulted in the four-volume SP 800-63 Digital Identity Guidelines.

“NIST applied the changes and ended up landing on ‘restricted’ rather than deprecated use of SMS for 2FA,” Grassi said. “Restricted means you, the organization, are taking a risk using SMS for 2FA. Users are also taking a risk.”

The organization should offer users an alternative so they don’t have to take a risk, he added, but NIST does not tell federal agencies which authentication factors to use. Instead, it’s important for agencies to consider what flavor of MFA make sense for them and what trade-offs must be factored into those decisions.

Federal security researchers said NIST’s recommendation that agencies avoid relying on SMS delivery of one-time passwords (OTPs) does not mean an end to 2FA.

“There are other approaches that can deliver 2FA — notably push-based OTP, which sends a code to a mobile device usually via a dedicated mobile app,” said Merritt Maxim, a senior analyst at Forrester Research. “But it is cryptographically signed and not delivered via the SMS channel so it avoids the SMS delivery vulnerabilities.”

Google Authenticator is one example of a 2FA mobile app.

DOD’s CAC experience proves instructive

Before Terry Halvorsen retired as CIO of the Defense Department in February, he commissioned a plan for DOD to stop using Common Access Cards as an authentication factor. Although the plan was still a work in progress at the time of his departure, CACs’ lack of agility prompted him to draw some broad conclusions about NIST guidelines, SMS 2FA and MFA.

“DOD and certain federal networks already exceed NIST network security requirements,” said Halvorsen, who is now an executive vice president and CIO at Samsung. “DOD has CAC, PIN and other multifactor authentication methods. 2FA is not a big deal for some parts of federal networks. They’ve already completed this journey.”

Overall, he said he believes there will not be a standard MFA for the federal government and that each agency will instead work with security vendors to find the most effective solution.

“In general, you will move to MFA in conjunction with technology that makes it easy to use,” Halvorsen said. “Certain government agencies will go beyond easy-to-use MFA to leverage their mission. They are moving to get rid of passwords and go to biometrics, voice recognition, facial recognition and behavior-based movement of hands” for authentication.

Although DOD is headed toward MFA, officials will not say which MFA factors to use. Halvorsen said passwords have been supplanted as an authentication factor, however, and could fall out of use entirely. Replacement options could include iris scanners, fingerprint readers, facial recognition and other authentication factors that are becoming easier to use.

“Authentication can use a combination of biometrics, user behavior and cross-referenced user data that is easily available,” Halvorsen said. “For example, say your phone is locating you in Los Angeles, and now there’s a login from Europe. We’re sure it’s not you. Data analytics engines at a high level will authenticate.”

Eventually, Halvorsen said it would be ideal if users were not even aware of authentication activities, and he believes we will not need passwords or challenge questions to authenticate users in the future.

The weakest link in MFA

Federal networks are only as strong as the weakest people accessing them, which makes humans the weak link in security.

“So long as authentication is based primarily on human-defined and -managed passwords, our systems will be compromised,” said Phil Quade, chief information security officer at Fortinet. “Despite persistent training and warnings, passwords are almost always compromised because they are too easy to guess, used for too long — extending the duration of exposure of compromised passwords — and repeated across different accounts, allowing a compromise on one machine to lead to compromises on others.”

Debra Marchese, vice president of information systems at federal contractor UTRS, said, “Everyone is trying to get a handle on how we protect systems. There are different levels of protection. No matter how many layers of security you have, vulnerability [will] always exist if users don’t have good cyber hygiene and don’t have a vested stake in securing systems. If it’s too difficult, people will find a way around security to get their job done. Bottom line: It comes down to end users.”

From her point of view, proper network security must be part of everyday computer use rather than something that is addressed once a year by top leaders. And the only way to do that is to have an appropriate level of investment in people. Unfortunately, Marchese said that approach runs counter to how the federal government arranges its priorities.

The first thing federal agencies take into account is cost. “They’re worried more about cost than people,” she added. “Now we heard that the Obama and then the Trump administrations didn’t want to put funding in place to control the user element. Technical solutions can only go so far.”

Furthermore, MFA methods are not foolproof, and fingerprint readers and retinal scanners having the potential to be “wonky,” Marchese said. However, CAC authentication might not be too burdensome on a trusted computer if administrators post a certificate on the computer every 30 days using Google Authenticator or something similar, she added.

“PINs, fingerprints, biometrics — you can use those, but how do you work through the human factor?” Marchese said. “Sometimes it’s just ignorance on the part of the users because no one explained it so they could understand or be invested in understanding.”

She said people open attachments sent from unknown users via email despite being warned not to. “People still do this even after training,” Marchese added. “But how do you push that down the organization to middle managers [and] the day-to-day workers?” Senior leaders don’t want to be responsible, “but you have to make cyber hygiene part of people’s day-to-day thought process in a non-intrusive way somehow. You’ve got to have layered security. We need layers that don’t break the mission of the agency but also don’t break the security of the network.”

MFA solutions for the federal government cannot be one size fits all, so how an agency implements MFA should depend on the sensitivity of its data and where MFA would be used within the agency’s architecture.

“There are certain places where it may make sense for all agencies to use 2FA,” said Michael Bahar, former minority staff director and general counsel for the House Permanent Select Committee on Intelligence and now a partner at Eversheds Sutherland law firm. “However, it won’t make sense for agencies to always implement MFA in the same way or even for every instance where authentication is required. A layered defense strategy may be useful.”

Authentication factors beyond CACs

With DOD pushing fairly aggressively to eliminate CACs, there are implications for the authentication factors that will be usable replacements. Security experts say soft tokens that feature secure mobile applications (e.g., RSA SecurID) will offer reliable security in the near term.

“For years, the market has produced authentication solutions that offered better security but often at the expense of the user experience,” said David London, a senior director in the security services practice at the Chertoff Group. “For example, two-factor authentication solutions often require users to ‘break stride’ to log in — such as those that not only require a password but also require a user to find a hardware token, copy a number off it and then enter it into an application. As a result, these solutions have had uneven implementation and uptake.”

Instead, commercial tools such as Apple Touch ID or Windows Hello, which are face- or fingerprint-based, could have useful government applications if properly deployed. And most smartphones and laptops now ship with “primitives” built in to deliver strong MFA that allows password-less login experiences that are more secure and easier for the user, said Jeremy Grant, former senior executive adviser for identity management at NIST.

“In these cases, factor 1 is a biometric that is matched on the device and only on the device — it cannot leave it,” said Grant, who is now Venable’s managing director for technology business strategy. “Once matched, it then unlocks factor 2: the private key of a public/private cryptographic key pair that is used to log in the user. There are a number of great options in the market to get this these days, and they don’t mean embracing a full-blown PKI solution.”

PKI: Gold standard for MFA

Whatever the authentication factors available for MFA, the federal gold standard is public-key infrastructure, said Army Col. Tom Clancy, identity and asset management lead in the DOD CIO’s office. That is especially true for hardware PKI. But there are a number of situations in which the technology does not come into play.

“There are a bunch of use cases that were almost exclusively username/password protected,” he said. “Old technology is one — devices or applications that didn’t support PKI.” As an example, he cited privileged users who access servers that don’t support PKI. “That’s a support case for MFA alternatives to PKI.”

Furthermore, DOD’s workforce is becoming increasingly mobile, but phone-based authentication is a challenge. And because the department’s partners in state and local government, nongovernmental organizations and industry do not issue PKI to their personnel, DOD needs other physical authentication solutions.

Commercial MFA tools can play an important role where PKI-based authentication is not supported or readily accessible, said Brandon Iske, the Defense Information Systems Agency’s lead for mobile enablement and the Purebred program, which seeks to put security credentials directly on employees’ mobile devices. He added that the National Information Assurance Partnership certifies devices and hardware that have built-in MFA.

“We’ve been working to identify alternatives to username/password for use cases that cannot implement PKI for two years,” Clancy said. “DOD has approved two alternatives to PKI when PKI is infeasible: RSA SecurID [and] YubiKey.”

Nevertheless, device-based PKI should be used at the appropriate level. And the industry has been improving on the way that devices store PKI certificates to meet advanced assurance levels, he added.

“We don’t need to demand a high-assurance authenticator for public information, but [we should] be diligent for protection of sensitive information,” Clancy said.

The need to know and be cyber-aware

Of course, DOD has some of the country’s most sensitive information, and it should be protected from external and internal leaks. It all comes down to the principle that employees should have access only to the information that is necessary for them to complete their appointed tasks and nothing more.

“The government organization’s access philosophy that is based on ‘need to know’ and ‘need to perform job function’ best supports the password system,” said Carl Herberger, vice president of security solutions at Radware. “Regular reviews of personnel access profiles as well as logical security awareness through education and training are imperative for the maintenance and support of the organization’s access philosophy. While password management is very serious, keep in mind that a password alone will not prevent unauthorized access.”

That means every agency, regardless of size, must create a cyber-aware culture and have a roadmap. Scope, resources and threat potential might impact how the plan is executed, but everything starts with the plan, said Mark Testoni, president and CEO of SAP National Security Services.

“Fostering cultural awareness through cyber education throughout the organization is paramount [because] each individual is a potential entry point of exploitation,” Testoni said. “Cybersecurity among federal agencies should be unambiguous. Agencies should proactively advance employee training programs — a justifiable cost when research shows that the vast majority of all cyberattacks are a result of human error.”

NEXT STORY: Rice to be acting DHS CIO

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.