New guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) highlighted significant ongoing challenges Federal agencies and industry face in implementing security controls like multifactor authentication (MFA) to manage identity security.
The report – Developer and Vendor Challenges: Identity and Access Management – was produced by the Enduring Security Framework, a public-private working panel led by CISA and the NSA.
Specifically, the report identified several developer and vendor issues complicating implementing identity and access management best practices, such as ambiguous MFA terminology and a lack of clarity around security properties. The report also highlighted technical gaps that prevent organizations in critical infrastructure sectors from deploying MFA services.
Last year, the White House rolled out the Federal zero trust strategy, requiring Federal agencies to implement MFA security controls throughout their organization. CISA has also recommended that the private sector implement critical security controls like MFA throughout their enterprise.
“MFA is widely recognized as one, if not the most, important preventative security controls available today,” the report stated.
However, deploying MFA security measures has not become a universal practice, especially for some organizations operating in the critical infrastructure sectors.
According to the panel, a key challenge to deploying MFA security measures “is [the] confusing definitions and unclear policy around different variations of MFA.”
“There is a need for clarity, interoperability, and standardization amongst MFA variations to allow organizations to make value comparisons and to integrate these solutions into their environment,” the guidance states, and continues to recommend vendors develop more secure enrollment tools and automated methods to detect and remove unused MFA authenticators.
In addition, the report called on the vendor community to provide MFA services with further investments and defenses against sophisticated attacks from threat actors, including phishing-resistant authenticators that can be simplified for adoption and embedded into operating systems.
