Next Level MFA: FIDO authentication
An official website of the United States government
By: Jen Easterly, Director, CISA
If you follow @CISAgov or @CISAJen on Twitter, you know how passionately we’ve been advocating for everyone to use MORE THAN A PASSWORD!
Many of us know that enabling multi-factor authentication is the single most important thing Americans can do to stay safe online. As I’ve been traveling the country this Cybersecurity Awareness Month, encouraging Americans to take action to stay safe online, this is my biggest ask: Enable MFA on your email account, your bank account, your social media accounts, and really anything with data that you care about protecting. We’re all in this together – in fact, last year President Biden directed all federal agencies to focus on adopting MFA and we’re hard at work driving improvements across the government toward this goal.
While much of our focus this October has been on individuals, when it comes to MFA, technology providers should really be out front here, leading by example, and it’s been great to see some of the industry trendsetters leaning forward on MFA adoption. For example, there are a growing number of online services that are now mandating MFA for their enterprise customers. This is a big win, and others should follow suit. And while we celebrate and encourage industry leadership in MFA adoption, we can still do more.
For example, one top vendor reports that only about a quarter of their enterprise customers have enrolled in MFA. More significant is their report that only about 1/3 of the system administrators of those organizations use MFA.
Even with MFA enabled, however, there have been several high-profile compromises over the past couple of years where attackers were able to bypass traditional forms of MFA, such as SMS texts, authenticator apps, or push notifications. These compromises surprised some observers, but really, it was only a matter of time. In fact, there are widely available “MFA bypass toolkits” that reduce the cost of attack. Unfortunately, we expect to see more and more such compromises. Credential phishing is a sad fact of life. When dedicated, human adversaries spend enough time and effort trying to trick us, someone in your organization will eventually fall for the ruse. And it could be you.
We’ve known for years that any form of MFA is better than no MFA. That’s still true, but we’ve also known that at some point “traditional MFA” would become “legacy MFA” and need to be reassessed or even replaced. Luckily a group of companies formed the FIDO Alliance to create a phishing-resistant form of MFA. They’ve been able to bake FIDO protocols into the operating systems, browsers, phones, and tablets that you already own. And FIDO is supported on dozens of online services. Organizations large and small are starting pilots and even completing their rollout to all staff.
At CISA, we talk often about resilience. We have to accept that even with all the planning and exercising to keep our systems, data, and infrastructure safe, it is still true that bad things will happen, like an employee in your organization falling for a phishing email. The reason FIDO is so valuable is because even when this happens, the attack will still fail.
This week the FIDO Alliance is hosting their annual Authenticate conference in Seattle, and we’re taking advantage of the event to shine the spotlight on FIDO as the gold standard for MFA and the only widely available phishing resistant authentication.
So, with this clarity, I make a few asks:
To business leaders: I urge every CEO to ensure that FIDO authentication is on their organization’s MFA implementation roadmap. FIDO is the gold standard. Go for the gold.
To the technology vendors that power our digital lives: Today, we lack visibility into MFA adoption in online services. A few services have helpfully published data, but most have not, and that lack of visibility is hurting our collective ability to truly tackle the challenges that will allow us to raise the cybersecurity baseline for the nation. In this context, we ask you to:
The bottom line is that we need to all get in the game and work this issue together. By tackling the MFA challenge from different angles, we can significantly improve online security—and by extension our business, personal and even national security.
Need CISA’s help but don’t know where to start? Contact the CISA Service desk.