Insight by Yubico

Cyber EO’s deadlines for zero trust and MFA are behind us. So what’s next?

This content is sponsored by Yubico.

President Biden’s executive order on cybersecurity gave agencies a 60-day deadline to develop a strategy to adopt a zero trust architecture, and a 180 day deadline to adopt strong multi-factor authentication (MFA). Those deadlines have come and gone, so the question on everyone’s minds is this: What comes next?

The Office of Management and Budget recently released a draft zero trust strategy that was open to comments from agencies. The Cybersecurity and Infrastructure Security Agency similarly released a draft zero trust maturity model that was also open to comments. These documents offer some clues. For example, the OMB strategy would require agencies to provide a single sign-on service for agency users, as well as enforcing MFA at the application level. This MFA must be phishing resistant for federal employees, contractors and mission partners, while phishing resistant MFA must be an option for public users.

“The good news is the government has had that technology in place for 20-plus years. That is the Personal Identity Verification (PIV) smart card for civilian agencies and departments, and the Common Access Card (CAC) over on the Defense Department and intelligence side of the house,” said Jeff Phillips, vice president of Public Sector for Yubico. “What they have a problem with is that a lot of contractors that aren’t PIV or CAC eligible. The government also works with a lot of mission partners — which could also be contractors, but could be from foreign nations as well — that aren’t PIV or CAC eligible, but they still need to connect to government systems or collaborate. Mobile devices are not very good for using PIV or CAC. You have to carry a reader, which is just as big as your cell phone and plug it in, which defeats the purpose of mobility.”

But mobile devices are where the world is starting to operate. And usernames and passwords simply aren’t secure enough anymore to protect the ever-expanding perimeter. So mobile devices need the same level of assurance as workstations that use PIV or CAC, but they need a new solution to deliver that authentication assurance.

That’s where Yubico comes in. The Democratic National Committee has been leveraging hardware security keys as a security standard for highest-assurance multi-factor authentication (MFA) since the 2020 election, and brought those security standards into the White House. From there, it’s begun filtering down into various agencies, and is quickly becoming a best practice.

The YubiKey from Yubico is a hardware security key that offers phishing-resistant MFA and supports multiple authentication protocols— from Smart Card to modern security protocols such as Fast Identity Online (FIDO) that were designed for modern devices and modern usage. A user can leverage the YubiKey with their accounts across various services and applications, securing their access to everything from agency systems to Twitter. Technologies like YubiKey can bridge those traditional authentication protocols to more modern standards.

And that’s important, because the National Institute of Standards and Technology is expected to release guidance in 2022 on FIDO and other web-based authentication protocols. That means agencies adopting this technology now will be ahead of the game when that guidance comes out, because NIST will verify FIDO as meeting the existing PIV standard.

It also meets the OMB guidance on being phishing resistant, unlike mobile-based authenticators such as SMS codes, OTP, and push notification apps which are software based and hence can be hacked.

“The invention of the cloud has given the bad characters processing power to go and figure out with artificial intelligence and machine learning at scale how to crack all this stuff. That’s why the security key is so important in our life. And why it only makes sense, because it needs you as an individual human to take the steps to plug it in to your device or tap it against your device, and then touch a button on top of it. This validates user presence, filtering out automated and remote hacks. Because without that touch, it can be hackable,” Phillips said.

The security key can be plugged into a device’s USB port, or connected to a mobile device using near-field communication, the same technology that enables contactless credit cards and payment apps on smartphones.

The only thing currently missing from FIDO that’s holding up NIST’s release of this guidance is that it currently lacks the concept of an enterprise administrator. The government needs a way to manage it as an enterprise asset the way it does with PIV.

“They’re just trying to be as thorough as they possibly can, because it is change,” Phillips said.” And at the same time, the government spent a lot of taxpayers’ money to ensure that our services aren’t disrupted and that our way of life is protected. And so they have to make sure that FIDO meets the mark, like they already know PIV does.”

Comments