The adoption and implementation of multi-factor authentication and single sign-on security protocols at federal agencies has hit myriad roadblocks amid the government’s push to fully embrace the zero-trust cybersecurity goals set by the Office of Management and Budget last year, a report from Cybersecurity and Infrastructure Security Agency and the National Security Agency found.
The guidance released this week from a CISA and NSA-led panel of government and industry experts highlighted confusion over MFA terminology and vague policy instructions as primary challenges that have so far prevented seamless application of the user authentication process.
While one seemingly simple proposed fix from the panel is to settle on a more standardized MFA vocabulary, a thornier problem identified is the “lack of clarity regarding the security properties that certain implementations provide.” Additional steps to standardize and simplify the benefits provided by MFA were recommended by the panel, including greater investments by vendors into “phishing-resistant authenticators to more use cases to provide greater defense against sophisticated attacks.”
Other MFA-related challenges raised by the panel centered on sustainability and governance of user sign-ups, noting that a reliance on self-enrollment and “one time enrollment code[s]” leaves systems vulnerable to cyber threats.
On the single sign-on front, experts highlighted the “significant tradeoff” between functionality and complexity, adding that R&D efforts should prioritize a “secure-by-default, easy to use, SSO system to address these gaps in the market.”
Additionally, the panel suggested that SSO accessibility could be improved by bundling those capabilities in all high-enterprise product features, ensuring that small- and medium-sized organizations aren’t priced out.
The concepts called out in the CISA-NSA guidance fall under the broader framework of identity and access management, a critical component of zero-trust security and a pillar of the government’s efforts in that space. The White House’s 2021 executive order on improving the nation’s cybersecurity called for advancements in zero-trust architecture within the federal government, while the 2022 OMB memorandum doubled down on the strategy, calling for stronger enterprise identity and access controls, including MFA.