Building on the May 2021 Cybersecurity executive order, Office of Management and Budget (OMB) memorandum M-22-09 sets out ambitious timelines for Federal agencies to improve cybersecurity. However, many agencies may be closer than they realize to the mandates laid out in M-22-09, particularly regarding multifactor authentication (MFA).
Because cyber attackers are always getting more creative and technologically advanced, the methods that agencies use to verify identity and authorize use of agency systems must constantly evolve. M-22-09 directs agencies to move away from password-based authentication, which leaves systems vulnerable. Password spraying, for example, may have been the method that allowed attackers to access government agencies in the SolarWinds hack. The memo outlines stronger authentication methods, including phishing-resistant MFA.
PIV and CAC
The good news is that “the government has spent more than two decades investing in the best enterprise-grade authenticators, which happen to be phishing resistant: the personal identity verification (PIV) card and the common access card (CAC). Agencies don’t have to stand up that infrastructure, and they know how to work with it,” explains Bryan Rosensteel, U.S. Federal chief technology officer at Ping Identity.
The universal Federal government standard is X.509 authentication, an International Telecommunication Union standard defining the format of certificates that bind an identity to a public key using a digital signature. In the Federal government, that certificate takes the form of a personal identity verification (PIV) or common access card (CAC).
“PIV and CAC and derived credentials are special versions of X.509 that incorporate lots of controls and processes,” Rosensteel notes. Those controls and processes are laid out in National Institute of Standards and Technology (NIST) Special Publications 800-157 and 800-79-2 and Federal Information Processing Standards (FIPS) 201-3.
Developed over two decades, PIV and CAC provide agencies with strong MFA, especially by requiring interaction with the user during the authentication process. Because a card is required, authentication cannot be accomplished remotely.
But PIV and CAC do not address every government need. Bottlenecks at PIV and CAC issuing authorities and their incompatibility with mobile devices present obstacles to agencies. PIV and CAC also struggle with edge use cases, creating gaps that are often filled piecemeal by the different groups within an agency, resulting in a patchwork of solutions. Rosensteel notes that centralization is a key to enterprise-wide phishing resistance: “We have to make sure that organizations understand where the MFA needs to be, and that they have central communication within the organization in order to identify all the use cases and adequately address them.”
To address the weaknesses of PIV and CAC, M-22-09 permits Federal agencies to use FIDO2 and Webauthn authenticators. FIDO is a passwordless open standard developed by the Fast Identity Online (FIDO) Alliance, an industry consortium comprised of technology firms and other service providers. FIDO2 consists of the WebAuthn specification, a standard set of web application programming interfaces that allow web applications to use public-key encryption and authenticators, and the client-to-authenticator protocol (CTAP2), which uses physical keys and mobile authenticator apps to implement two-factor and passwordless authentication. “From a pure authentication standpoint, we are going to start seeing FIDO2 growing in importance,” Rosensteel observes.
FIDO2 uses asymmetric cryptography, which employs different keys to encrypt and decrypt; symmetric cryptography, on the other hand, uses a single key for both processes. FIDO2 generates a public and private key pair for each user, protecting against all forms of password theft, phishing, and man-in-the-middle attacks. Stored on a service provider’s servers, the public key verifies users’ identities and encrypts their information. The private key remains on users’ devices to validate users’ identities and decrypt information. Users unlock cryptographic login credentials with fingerprint readers, cameras, or physical security keys.
Login.gov, which provides single sign-on for the public to interface with Federal agencies online, offers FIDO2 as an MFA option. Users who select this option must provide a “security key,” which can be a piece of hardware or a biometric authenticator such as a fingerprint. The General Services Administration encourages the use of the FIDO2 system on the site, and usage is on the upswing, according to the FIDO Alliance. The standard is more secure, protects user privacy, and is less expensive for the government to operate compared to traditional methods.
However, FIDO2 was not written to meet the Federal government’s needs. For example, unlike PIV and CAC, FIDO2 does not accommodate enterprise lifecycle management of identity verification and authentication. “How do we bring two decades worth of enterprise lifecycle management, which exists for a reason, into a standard that was initially built to handle MFA in the commercial space?” Rosensteel asks. “We’re working on that with a couple of specialized technology vendors that can bring in the lifecycle management for FIDO2 security keys that we see with a physical smart card and do so in a way that is scalable for an organization.”
Federal policy is also beginning to change to ensure commercial standards like FIDO can meet Federal requirements. “FIPS 201-3 was updated in January to allow non-X.509 based derived credentials,” Rosensteel notes. “That’s the first step for FIDO2 adoption. Now NIST Special Publications 800-157 and 800-79-2 need to be updated with the right lifecycle management policies. Once that happens, we have an alternative to the gold standard of the PIV and CAC.”