Making multifactor authentication work
- By Derek Handova
- Sep 25, 2017
Federal networks are only as strong as the people accessing them, which makes humans the weak link in security.
“So long as authentication is based primarily on human-defined and -managed passwords, our systems will be compromised,” said Phil Quade, chief information security officer at Fortinet. “Despite persistent training and warnings, passwords are almost always compromised because they are too easy to guess, used for too long — extending the duration of exposure of compromised passwords — and repeated across different accounts, allowing a compromise on one machine to lead to compromises on others.”
Debra Marchese, vice president of information systems at federal contractor UTRS, said, “Everyone is trying to get a handle on how we protect systems. There are different levels of protection. No matter how many layers of security you have, vulnerability [will] always exist if users don’t have good cyber hygiene and don’t have a vested stake in securing systems. If it’s too difficult, people will find a way around security to get their job done. Bottom line: It comes down to end users.”
From her point of view, proper network security must be part of everyday computer use rather than something that is addressed once a year by top leaders. And the only way to do that is to have an appropriate level of investment in people. Unfortunately, Marchese said that approach runs counter to how the government arranges its priorities.
The first thing agencies take into account is cost. “They’re worried more about cost than people,” she added. “Now we heard that the Obama and then the Trump administrations didn’t want to put funding in place to control the user element. Technical solutions can only go so far.”
Furthermore, multifactor authentication methods are not foolproof, and fingerprint readers and retinal scanners having the potential to be “wonky,” Marchese said. However, Common Access Card authentication might not be too burdensome on a trusted computer if administrators post a certificate on the computer every 30 days using Google Authenticator or something similar, she added.
DOD’s CAC experience proves instructive
Before Terry Halvorsen retired as CIO of the Defense Department in February, he commissioned a plan for DOD to stop using CACs as an authentication factor. Although the plan was still a work in progress at the time of his departure, CACs’ lack of agility prompted him to draw some broad conclusions about authentication guidelines from the National Institute of Standards and Technology.
“DOD and certain federal networks already exceed NIST network security requirements,” said Halvorsen, who is now an executive vice president and CIO at Samsung. “DOD has CAC, PIN and other multifactor authentication methods. [Two-factor authentication] is not a big deal for some parts of federal networks. They’ve already completed this journey.”
Overall, he said he believes there will not be a standard multi-factor authentication for the federal government and that each agency will instead work with security vendors to find the most effective solution.
“In general, you will move to MFA in conjunction with technology that makes it easy to use,” Halvorsen said. “Certain government agencies will go beyond easy-to-use MFA to leverage their mission. They are moving to get rid of passwords and go to biometrics, voice recognition, facial recognition and behavior-based movement of hands” for authentication.
Although DOD is headed toward MFA, officials will not say which MFA factors to use. Halvorsen said passwords have been supplanted as an authentication factor, however, and could fall out of use entirely. Replacement options could include iris scanners, fingerprint readers, facial recognition and other authentication factors that are becoming easier to use.
“Authentication can use a combination of biometrics, user behavior and cross-referenced user data that is easily available,” Halvorsen said. “For example, say your phone is locating you in Los Angeles, and now there’s a login from Europe. We’re sure it’s not you. Data analytics engines at a high level will authenticate.”
Eventually, Halvorsen said it would be ideal if users were not even aware of authentication activities, and he believes we will not need passwords or challenge questions to authenticate users in the future.
MFA solutions for the federal government cannot be one size fits all, so how an agency implements MFA should depend on the sensitivity of its data and where MFA would be used within the agency’s architecture.
“There are certain places where it may make sense for all agencies to use 2FA,” said Michael Bahar, former minority staff director and general counsel for the House Permanent Select Committee on Intelligence and now a partner at Eversheds Sutherland law firm. “However, it won’t make sense for agencies to always implement MFA in the same way or even for every instance where authentication is required. A layered defense strategy may be useful.”
Authentication factors beyond CACs
With DOD pushing fairly aggressively to eliminate CACs, there are implications for the authentication factors that will be usable replacements. Security experts say soft tokens that feature secure mobile applications (e.g., RSA SecurID) will offer reliable security in the near term.
“For years, the market has produced authentication solutions that offered better security but often at the expense of the user experience,” said David London, a senior director in the security services practice at the Chertoff Group. “For example, two-factor authentication solutions often require users to ‘break stride’ to log in — such as those that not only require a password but also require a user to find a hardware token, copy a number off it and then enter it into an application. As a result, these solutions have had uneven implementation and uptake.”
Instead, commercial tools such as Apple Touch ID or Windows Hello, which are face- or fingerprint-based, could have useful government applications if properly deployed. And most smartphones and laptops now ship with “primitives” built in to deliver strong MFA that allows password-less login experiences that are more secure and easier for the user, said Jeremy Grant, former senior executive adviser for identity management at NIST.
“In these cases, factor 1 is a biometric that is matched on the device and only on the device — it cannot leave it,” said Grant, who is now Venable’s managing director for technology business strategy. “Once matched, it then unlocks factor 2: the private key of a public/private cryptographic key pair that is used to log in the user. There are a number of great options in the market to get this these days, and they don’t mean embracing a full-blown PKI solution.”
PKI: Gold standard for MFA
Whatever the authentication factors available for MFA, the federal gold standard is public-key infrastructure, said Army Col. Tom Clancy, identity and asset management lead in the DOD CIO’s office. That is especially true for hardware PKI. But there are a number of situations in which the technology does not come into play.
“There are a bunch of use cases that were almost exclusively username/password protected,” he said. “Old technology is one — devices or applications that didn’t support PKI.” As an example, he cited privileged users who access servers that don’t support PKI. “That’s a support case for MFA alternatives to PKI.”
Furthermore, DOD’s workforce is becoming increasingly mobile, but phone-based authentication is a challenge. And because the department’s partners in state and local government, nongovernmental organizations and industry do not issue PKI to their personnel, DOD needs other physical authentication solutions.
Commercial MFA tools can play an important role where PKI-based authentication is not supported or readily accessible, said Brandon Iske, the Defense Information Systems Agency’s lead for mobile enablement and the Purebred program, which seeks to put security credentials directly on employees’ mobile devices. He added that the National Information Assurance Partnership certifies devices and hardware that have built-in MFA.
“We’ve been working to identify alternatives to username/password for use cases that cannot implement PKI for two years,” Clancy said. “DOD has approved two alternatives to PKI when PKI is infeasible: RSA SecurID [and] YubiKey.”
Nevertheless, device-based PKI should be used at the appropriate level. And the industry has been improving on the way that devices store PKI certificates to meet advanced assurance levels, he added.
“We don’t need to demand a high-assurance authenticator for public information, but [we should] be diligent for protection of sensitive information,” Clancy said.
The need to know and be cyber-aware
Of course, DOD has some of the country’s most sensitive information, and it should be protected from external and internal leaks. It all comes down to the principle that employees should have access only to the information that is necessary for them to complete their appointed tasks and nothing more.
“The government organization’s access philosophy that is based on ‘need to know’ and ‘need to perform job function’ best supports the password system,” said Carl Herberger, vice president of security solutions at Radware. “Regular reviews of personnel access profiles as well as logical security awareness through education and training are imperative for the maintenance and support of the organization’s access philosophy. While password management is very serious, keep in mind that a password alone will not prevent unauthorized access.”
That means every agency, regardless of size, must create a cyber-aware culture and have a roadmap. Scope, resources and threat potential might impact how the plan is executed, but everything starts with the plan, said Mark Testoni, president and CEO of SAP National Security Services.
“Fostering cultural awareness through cyber education throughout the organization is paramount [because] each individual is a potential entry point of exploitation,” Testoni said. “Cybersecurity among federal agencies should be unambiguous. Agencies should proactively advance employee training programs — a justifiable cost when research shows that the vast majority of all cyberattacks are a result of human error.”
A longer version of this article was first posted to FCW, a sibling site to GCN.