With a huge chunk of the federal workforce still working remotely, the PIV cards employees normally use to authenticate themselves on federal networks aren’t always an option. So, many agencies have turned to commercial multifactor authentication solutions as an alternative. But some of those solutions are more secure than others. To help agencies sort the good from the not-so-good, the National Security Agency has just released a guide to commercial multifactor authentication. Dr. Alan Laing is Senior Subject Matter Expert for Vulnerabilities and Mitigations at NSA, and he joined the Federal Drive to talk more about the information paper.
Insight by Citrix: During this webinar executives from the Department of the Navy, U.S. Army Corps of Engineers, Census Bureau and Citrix Systems will discuss how federal leaders can use their experience over the last 20 months to continue to reduce costs and complexities and move further into the cloud and other modern approaches to technology.
Jared Serbu: I think for starters, maybe you can just spend a minute here talking about why NSA decided to release this publication at this particular time. I mean, is have you been getting a lot of inquiries from federal agencies and other organizations about multifactor authentication in these interesting last few months?
Alan Laing: So “interesting last months” is probably a good term to use. The NSA put out a number of cybersecurity information reports related to our customers, trying to continue working. A lot of them were pushed to do telework and things like that. So the multifactor authentication cybersecurity report was part of that.
Jared Serbu: And I guess the main takeaway for me here is that in a pinch, almost anything is better than just a username and password. But not all multifactor authentication schemes are created equal. And just working backwards here a little bit, you specifically call out techniques like text messages, out-of-band SMS messages to your phone, and some of the commercial biometric solutions that are out there, as not being the best ideas. Talk a bit about some of the weaknesses there and why you wouldn’t necessarily use those as your first go-tos.
Alan Laing: Yeah, so the SMS and biometrics have have a history of being ineffective at binding the user that is making a request to their digital identity. The NIST report on digital identity guidance describes the the rationale for that. Basically, you’re leaving your fingerprints and biometrics all over the place, and it’s it’s fairly easy to replicate. And then for the SMS, there’s, there’s a ton of ways to impersonate or to capture the SMS messages. So that was considered not the best way of moving forward.
Jared Serbu: And the publication, we should tell listeners, does include a list of all the various FIPS-approved solutions that are out there. We certainly can’t get into them all in this venue. But can you take us through some of the characteristics that you want to be looking for when you’re actually selecting a strong solution?
Alan Laing: Given the need to get this out quickly? We have some expertise here. But we wanted to be fair, so we used the criteria in the NIST digital guidelines document, the recent update, and we used those criteria for our search of public websites that vendors were advertising solutions that met these criteria. So the NIST webpage that has all the validated crypto modules was where we started. And then when we saw the vendors that were validating their products for advertising or indicating that they were compliant or trying to meet the criteria, then we went into those websites and validated those products against the criteria.
Jared Serbu: Can you take us through what you think the most or this is almost a NIST question. But what the most important criteria are for determining whether you really can trust a multifactor authentication scheme.
Alan Laing: So there’s the cryptographic part of it. Every multifactor authentication involves some sort of cryptography, whether it’s a one-time password or a random number generator. So, the independent and standards-based validation that’s provided by the FIPS 140-2 validation scheme is probably the most important piece of that. The validator, the verifier of the request also needs to be locked down so they’re not just accepting any claim. It has to be also be cryptographically, and from a network security perspective, it needs to be sound. Those two together and you see the FIPS validation indications in the report as well as things like FedRAMP, or the NIST 853, which is their security controls document.
Jared Serbu: And as you also point out in the document, well, you don’t point this out but I’ll point out, not every agency’s going to have the option to send government-furnished equipment home with every single employee. But you do point out that that is a better option, if you can. Can you talk a bit about why that’s the case?
Alan Laing: Yeah. So the phrase that I like to use is, if you have a perfectly good sound authenticator, and you put it into a perfectly compromised host, whoever is controlling that host has access to those credentials. And so making sure that the credentials are in the control of the user, all factors of the authentication solution should be under the exclusive control of the user that’s representing it. So government-furnished equipment is managed with the understanding of the specific threats. And it’s more difficult to do that with your own home computer than if the information isn’t there, or the work required to maintain that might not be being done regularly.
Jared Serbu: Yeah, and you also point out that if you don’t have the option of sending hardware home with people, virtual GFE is a pretty good second choice. Can you talk about how close we can get to a secure environment with that virtualized environment?
Alan Laing: So the 10s program that was referenced in the document is an Air Force program that basically takes your hardware and allows you to boot to a known good image. So that deals with a lot of the issues regarding you know, an intruder that might have persistence on the hard drive. It basically forces the adversary to start anew with an attack against your system. And these are refreshed periodically to maintain a fairly good protection against the current threats as well.
Jared Serbu: That’s Dr. Alan Laing, the senior subject matter expert for vulnerabilities and mitigations at NSA.