White House Executive Order for Cyber Security requiring MFA
On the 12th of May 2021 Joe Biden, the President of the United Status (POTUS), signed an Executive Order (EO), focused on cyber security, into existence. This EO’s purpose is to strengthen Federal network security, internally as well as with any organization that conducts business with the Federal government. The EO mandates that IT providers, IT security providers, federal agencies, and any other organization that provides software to federal agencies utilize multi-factor authentication (MFA), as well as be compliant with the Director of CISA’s cloud-service governance framework within sixty days of the EO date, with a further evaluation on the types and sensitivity of data conducted within ninety days of the EO date.
Businesses saw an unprecedented rise in cyber attacks between 2020 and 2021, with attacks ranging from small scale all the way to Nation State backed Active Persistent Threat (APT) attacks. These attacks spurred the signing of the EO which, being grounded in statute, holds legal weight. The EO mandates the adoption of data encryption and multi-factor authentication within sixty days of the EO date, and within six months for data in transit and at rest. Agencies are required to provide process reports every sixty days until they have fully adopted multi-factor authentication. Any agency that is unable to comply with these requirements are required to provide a documented rationale to the Secretary of Homeland Security after which a cybersecurity framework would be set up.
What is the objective of the Executive Order (EO)?
The Federal Government’s objective was to modernize its cybersecurity approach. The three main aspects to modernizing cybersecurity are:
Pushing cloud adoption - modernizing cybersecurity by moving information from legacy data centers to cloud SaaS.
Adopting a zero trust architecture - limiting access to only the required information and constantly verification
Using multi-factor authentication (MFA) - recognizing that multi-factor authentication is one of the strongest methods to fight cyber attacks
Currently the most common authentication form is a password, which is vulnerable to the following security risks:
A majority of people use easily guessable passwords, typically chosen by the user based on something familiar and easy to remember. An example is "K!ttyName2016". Passwords created using common words and adding characters and numbers to the end do not satisfy the ‘strong password’ requirement. Hacking methods and tools have become much more advanced, making passwords extremely vulnerable to most forms of cyber attacks. Even if the guesswork algorithms were excluded, traditional passwords face another issue - social engineering.
Passwords tend to be reused across multiple applications and websites; in fact, a Google survey found a reuse rate of 69%! Done for ease of remembering, the problem occurs when a user’s password is compromised. It is not only compromised on the one app or site, but is compromised everywhere the user has reused the password. A common cybercrime tactic that hackers use is credential stuffing. In order to remotely authenticate users, passwords are often sent through the internet to servers in the cloud. The concerns here are users being authenticated outside their devices, outside their control. Phishing, another common form of cybercrime, is when a user is duped into clicking a suspicious link and submitting their login details. The site is usually a copy of a popular website and the credentials the user submits on the fake website are then used on the real website.
So what can help fight a majority of cybercrimes like phishing, credential stuffing, and the cybercrimes involving passwords? The answer is multi-factor authentication (MFA).
What is multi-factor authentication (MFA)?
Multi-factor authentication (MFA), as the name suggests, requires users to prove their identity by providing additional ‘factors’. These factors could be a mix of something you have (possession), something you are (inheritance), or something you know (knowledge). There are various factors that can be used, each with its own level of security. One-time passwords (OTPs), SMS codes, email codes and voice confirmations, for example, are factors that are more vulnerable, making them more prone to account takeover fraud, phishing, and so on.
The most secure way to meet the Executive Order’s multi-factor authentication requirements, therefore, is to augment or use a FIDO-based solution provider, such as LoginID.
What is FIDO?
FIDO, short for Fast IDentity Online, is a consortium of the leading technology companies across the globe, brought together to change the way online authentication is done. FIDO’s established technical standards provide secure and easy-to-use interoperable mechanisms, from biometrics such as facial recognition and fingerprints, to second factor authentication devices.
FIDO Authentication is the solution to the age old password problem: 80% of all password breaches are attributed to weak passwords. For further information, please read our FIDO 101 article for an in-depth introduction to FIDO and why businesses need to integrate it.
What does FIDO have to do with the Executive Order and MFA?
FIDO Authentication is a 2-factor authentication (2FA) method. FIDO is the preferred multi-factor authentication method because:
It is supported by 4 billion devices all over the world
It does not require end users to download anything
It eliminates man-in-the-middle attacks, account takeovers, SIM swaps, and other such cyber attacks
It eliminates the problems with reusing passwords, since there are no passwords to reuse
It reduces abandoned transactions due to forgotten passwords: people abandon their purchases ⅓ of the time due to forgotten passwords
The FIDO specification consists of two components: Webauthn, and CTAP (Client to Authenticator Protocol).
Webauthn is the web API that allows users to actually utilize biometrics and security keys to authenticate themselves.
CTAP is what browsers use to communicate with authenticators present on, or connected to, an authenticating device.
How it works
FIDO uses asymmetric public key cryptography that replaces the need of saving passwords in a server. FIDO authentication, instead, uses a private and public key pair. The private key sits on, and never leaves, a user’s device. The public key has no material value, and sits on a FIDO server. The fact that the public key has no material value means that even if the server is compromised and the public key(s) stolen, cyber attackers can’t perform any malicious attacks with the public key.
Setting up a FIDO account allows the user to utilize their device as an authenticator, by activating their device’s private key. Any authentication request, either through biometrics, PIN or any other method, is unique to the user; the key pairs are matched, data is exchanged in the background, and the user is allowed to login to a website or access an account if the key pair matches.
The steps involved in authenticating a user are:
A FIDO-certified remote key or platform authenticator verifies that the service, application or website is a trusted and registered service, eliminating the phishing problem.
FIDO requests identity assertion on the user’s device to unlock the security system or secure enclave so the public and private keys on the service, application or website can be compared (Factor 1). One of the more secure and common authentication methods is using the device’s biometric scanner such as facial recognition or a fingerprint scan. It could also be a PIN code, or an external FIDO-enabled key.
FIDO exchanges the extremely complex encryption keys, which work as a user’s password unique to their own device and unique to them.
If the key pairs match, the user is authenticated with the service, website or application.
All this happens in the background; all the user does is look at their facial recognition scanner, or touch their fingerprint scanner to verify themselves.
Explosive adoption of biometric authentication is already present in devices globally; in fact, most phones sold will typically be FIDO compliant right out of the box. FIDO is the most secure and simplest form of multi-factor authentication being adopted by enterprises and organizations today. FIDO allows organizations in both the public and private sectors to comply with the Executive Order in a user-centric manner.
How does LoginID fit in?
Integrating FIDO from the ground up requires extensive knowledge of the FIDO standard; it is quite complex and requires scalable server resources as well as in-house programming skills across various languages and platforms.
LoginID was founded to eliminate the barriers to integrating FIDO for both organizations and developers. As simple as FIDO is for the end user, LoginID wanted to make it simple for integrators and developers too. LoginID’s mission is to make FIDO technology available to all organizations globally, painlessly.
LoginID gives you:
A FIDO2 / FIDO UAF certified biometric authentication solution
If you would like to learn more about LoginID’s FIDO2 and FIDO UAF biometric authentication, click here.
An unprecedented rise in cyber attacks between 2020 and 2021 spurred the POTUS’s signing of the White House Executive Order mandating cloud adoption, a zero-trust architecture, and the use of multi-factor authentication (MFA).
Multi-factor authentication (MFA) requires users to present additional forms of authentication to verify their identity; one of the more secure factors is biometrics (face scan or fingerprint scan) available on nearly every mobile device sold today
FIDO2/FIDO, developed by the FIDO Alliance, is the de-facto authentication standard and enables organizations to implement multi-factor authentication in an easy, user-centric way
FIDO is time-, cost- and labor-intensive to develop in-house. FIDO-certified authentication and identity providers like LoginID make it easy for organizations to integrate FIDO into any website, application or service.