Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
A group of leading federal security officials is exploring ways agencies can break old paradigms for how employees log-in to federal networks and citizens access government services, driven by a whole-of-government mandate to adopt modern authentication practices.
Multifactor authentication is a major issue in front of the federal chief information security officer council, according to Steven Hernandez, CISO at the Department of Education and co-chairman of the council.
For federal employees, agencies are considering additional options beyond the Personal Identity Verification (PIV) card. But Hernandez said the PIV card will continue to be a leading authenticator well into the future.
“We are looking at a wider array of authenticators,” Hernandez said during a Dec. 1 conference hosted by NextGov, adding, “The PIV, whether you love it or loathe it, it is definitely here to stay for a while, because it is still the strongest authenticator we have.”
PIV credentials are a physical card, typically tied to a federal employee’s fingerprints, that facilitates access to both physical facilities and information systems.
But the conversation has shifted with the proliferation of modern authentication keys that follow standards set by the Fast ID Online (FIDO) Alliance, an industry association. Examples include hardware authentication devices, such as Yubico’s YubiKey and Google’s Titan Security Key, as well as Web Authentication (WebAuthn) measures that use registered devices as an authentication factor.
“That will be an interesting nuance going forward for us because we are opening the aperture now to allow other authenticators on the table,” Hernandez said. “I think there will be some subtlety and we’re going to see some more conversations at the council level with our identity experts to say, ‘There are still some cases where you really absolutely, positively need to use the PIV because of that binding of identity to credential and access. But in other cases, you know what? A FIDO key, a Titan Key, something like that may be just fine.”
The strategy puts a premium on agencies using “phishing-resistant” multifactor authentication, and it recognizes that the PIV card will be the “simplest” way to support that goal. “However, PIV will not be a practical option for some information systems and situations,” the strategy adds.
“To the greatest extent possible, agencies should centrally implement support for non-PIV authenticators in their enterprise identity management systems, so that these authenticators are centrally managed and connected to enterprise identities,” the strategy states.
Hernandez said the CISO council is also examining the “intersection between identity and [zero trust architecture]” through its working group on identity, credential and access management.
“You’re going to see a lot of the work unfolding from there, whether it be multifactor, how identity integrates with ZTA, updating certificate management to work with a lot of these new approaches to technology,” he said.
Robert Wood, CISO at the Center for Medicare & Medicaid Services, said his agency is also moving to simplify its internal identity and authorization mechanisms.
“Get rid of the old hat, passwords, get rid of the old hat way of getting access to resources, and shift to this more adaptive, role-based, smooth authentication flows that that FIDO keys enable,” Wood said.
Citizen-facing service security
Wood said the government should move to modernize the user authentication process for citizen-facing services, as well. He suggested the move to zero trust and its stronger authentication mechanisms could improve the user experience for citizens.
“I feel very strongly that the same sort of smooth, easy form of authentication and access to resources should be available to citizens,” he said. “It’s just implemented in a totally different way, because those, those login systems and identity systems are different than what we are using to serve as our internal population.”
The zero trust strategy also directs agencies to adopt phishing-resistant multifactor authentication for user-facing services. The strategy sets a deadline of Jan. 26, 2023, for public-facing agency systems that support MFA to provide users with the option of using phishing resistant authentication measures.
Hernandez said that’s an issue the federal CISO council is also actively considering.
“When we look at citizen facing services, that’s a big area for us,” he said, noting the requirements in the zero trust strategy. “We have to be able to allow our citizens to register their YubiKey, register their WebAuthn, register their FIDO2 token. Whatever they got, our citizen facing services need to support that.”
The General Services Administration offers Login.gov as a single sign-on service for the public to interface with government services. GSA’s goal is to reach 100 million Login.gov users by the year’s end, up from the approximately 40 million who were using it earlier in 2022.
Hernandez, the Education CISO, pointed to accessing student loan information as an example.
“If a new student comes to us and says, ‘You know what, I want to protect my student loans with the highest level of security available,’ we can say, ‘Well, if you’ve got a FIDO key or whatever, we use Login.gov, feel free to register. It will accept it. You can go as high up the chain to protect your own information how you want,’” Hernandez said.
“And then how we bind that to their identity?” he continued. “Well, that’s going to vary based on use case. But I think one thing we’re seeing coming out of the council is this strong urge to say, ‘Citizens, we are going to make the highest security options available to you. So you choose how much security you want when you’re interacting with the federal government.’”