MFA For Cybersecurity Gets Highlighted In Federal Zero Trust Strategy
Cybersecurity is one of the pressing issues that the United States is facing. Threats affect the government, organizations, institutions, and even individuals.
The Identity Theft Resource Center (ITRC) said there were 1,291 data breaches publicly reported in the U.S. from January to September 2021, affecting about 281 million individuals. In comparison, this total is 17% more than the recorded breaches during the same period in 2020.
Government Efforts: The Federal Zero Trust Strategy
To address this problem, the government looks for ways to improve cybersecurity. On January 26, 2022, the Federal Zero Trust Strategy was released. The Office of Management and Budget (OMB) published the strategy as Memorandum M-22-09. Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.
This move aims to promote a better security approach through government-wide efforts, setting a new baseline in terms of access controls. An important point to highlight is the prioritization of using phishing-resistant multi-factor authentication (MFA). Additionally, there is also a need to consolidate identity systems for improved protection and monitoring.
Understanding the Strategy
At the core of the strategy are two main focuses — the vision and actions on identity.
Generally, staff members of government agencies have to use enterprise-managed identities to get access to applications used for work. Phishing-resistant multi-factor authentication must be in place to protect said personnel against more sophisticated cyberattacks.
Three actions must be taken.
First, the agencies should have centralized management systems for users.
Second, they should use strong MFA throughout the organization. Specifically, all agency staff members, contractors, and partners have to use phishing-resistant MFA. Meanwhile, public users should be given this option. Furthermore, it should not be required to use special characters for passwords or have regular password rotation.
Third, agencies should consider having at least one device-level signal when giving users authority to access resources. This signal is additional security alongside identity information about the authenticated user.
The FIDO Standard
Through the announcement of the strategy, the federal government also encouraged using FIDO2 standards. Thus, further recognizing the FIDO Alliance’s efforts to promote the use of phishing-resistant multi-factor authentication and reduce people’s over-reliance on passwords.
The FIDO2 is FIDO Alliance’s newest set of specifications. It includes Web Authentication (WebAuthn) specification and Client-to-Authenticator Protocol (CTAP). Learn more about the FIDO2 Project here.
