With the recent cyber-attack on Colonial Pipeline and many organisations still dealing with the after-effects of the SolarWinds breach, it is no surprise that President Biden’s administration placed a sharp focus on improving the nation’s cybersecurity.
The executive order of May 12 is wide ranging, covering enhanced information sharing, replicable ‘playbook’ style responses to cybersecurity incidents and increased vendor transparency.
One item that stands out is the requirement that within 180 days of the date of the order, agencies shall adopt multi-factor authentication and encryption of data at rest and in transit, to the maximum extent consistent with Federal laws.
Federal agencies have invested heavily in PIV (Personal Identity Verification) multi-factor authentication as part of their requirement to comply with the FIPS-201 standard. Based on PKI (Public Key Infrastructure), PIV works well for multi-factor authentication (MFA) and encrypting data, which is a key requirement of President Biden’s executive order.
A dual PKI and FIDO solution to strong multi-factor authentication
As the need to introduce MFA beyond the traditional boundaries of the enterprise expands, PKI based solutions can become increasingly more complex to deploy. Cloud and Zero Trust architectures are often not under the control of the consuming agency and can be difficult to PKI enable.
The desire to heighten cybersecurity defences by rolling out MFA throughout the supply chain is also challenging for PKI, with organisations not being in control of the employee onboarding process of external parties, making PKI audits and proving compliance with certification practice statements impractical.
FIDO, and in particular FIDO2 with its passwordless capabilities, offers an attractive alternative to PKI. The WebAuthn protocol utilised by FIDO2 is a standard adopted by the world wide web consortium (W3C) and is now embedded into a wide range of browsers and operating systems. The CTAP (client to authenticator protocol) allows browsers and operating systems to work with external FIDO2 compliant authenticators such as USB keys, which can provide the hardware level of security agencies require to comply with federal security standards.
Acceptance of FIDO into NIST standards
The National Institute of Standards and Technology (NIST) who defined the PIV standard, recognise the benefits of FIDO with the next version of the standard (FIPS 201-3) and associated special publications, giving hardware FIDO authenticators a level of assurance equivalent to cryptographic smart cards.
Agencies are looking to adopt the new MFA mechanisms while protecting the investment they have made in their PIV systems. Many are finding the best solution is a hybrid approach; PKI works well for desktop logon and secure email, with FIDO working well for access to cloud platforms and supply chain authentication.
Hybrid technologies work best with unified management, even though the technologies in use may differ, it is important an organisation maintains a single view onto who has access to their systems and can define and implement policy controls over who can issue and receive the credentials that give people system access.
Taking a unified approach to MFA
MyID from Intercede combines fully FIPS 201 compliant PKI credential management, with FIDO for the Enterprise. Acting as a FIDO Authentication Server MyID also provides essential management features missing from other FIDO Servers that organisations expect, including binding users to FIDO authenticators, issuance policy over who gets which credential type, revocation and centralised audit.
Mixing and matching MFA technologies that best fit the systems and users that access them makes perfect sense. Managing them from a single system makes it deployable in the real world.
Arrange a MyID demo
Contact us now to arrange a MyID demo using the form below.