White House Executive Order for Cyber Security requiring MFA and how LoginID can help organizations comply quickly
On May 12th, 2021 the President of the United States, Joe Biden, signed a Cyber Security focused Executive Order (EO) into existence. This broad and far reaching order serves to strengthen security for Federal networks, plus any organizations which intend to do business with the Federal government. It requires federal agencies, IT providers, IT security providers, and any organization that sells software to federal agencies to utilize multi-factor authentication (MFA) and to comply with the cloud-service governance framework set by the Director of CISA within 60 days of the order date, with an evaluation of the sensitivity and types of data carried out within 90 days of the order date.
2020 and 2021 has rattled the global security landscape, with businesses seeing a rise in unprecedented cyber attacks. The attacks have originated from numerous groups that range from small-time criminals seeking a ‘quick buck’, all the way up to more sophisticated Nation State backed Active Persistent Threat (APT) groups seeking to achieve more sinister outcomes. The result of these malicious activities prompted the signing of the Executive Order; the Executive Order is grounded in statute, giving it legal weight. The Executive Order states that multi-factor authentication and data encryption needs to be adopted within 60 days of the order date, and within 180 days of the order date for data at rest and in transit, with agencies providing progress reports every 60 days until full adoption of multi-factor authentication. Agencies that are unable to meet the requirements would need to provide a documented rationale to the Secretary of Homeland Security, following which a cybersecurity framework would be established.
How does Multi Factor Authentication (MFA) tie into all this?
As related to requirements for any agencies, the objective of the Federal Government is to modernize its approach to cybersecurity. . There are 3 main aspects as related to this objective:
- Push cloud adoption — modernize cyber security by getting off legacy data centre environments to cloud SaaS.
- Adopt a Zero Trust Architecture — which limits access to only what is needed and utilizes constant verification All cases are risks.
- Use of MFA — recognizing that MFA is one of the strongest methods evidentially to battle cyber attacks
The most common form of authentication is the traditional password, which brings with it a few security risks:
- Many people are still using passwords that are easily guessable. Typically these are created by the user based on something familiar to them. Take “K!ttyName2016” as an example. If you create a password using words found in the dictionary and then add some numbers and characters in it with the aim of creating a strong password, then you are mistaken. Hacking tools, and multiple other methods cyber criminals are using to gain illegal access to accounts, have come a long way. But even if users take guess-work algorithms out of the picture, traditional passwords face an additional problem — social engineering.
- People tend to reuse passwords across multiple websites and applications. A Google survey found a 69% reuse rate. While intended to be easier to remember, if a user’s password is compromised on one site, then all places they have reused it are now at risk of being compromised. This is a common tactic that hackers use, known as credential stuffing. Passwords are often sent through the internet and authenticated remotely on servers ‘in the cloud’. This has many inherent issues which all boil down to being authenticated outside of your devices and control. Another common form of cyber crime is phishing, where a user might be tricked into clicking a link to a copy-cat website run by cyber criminals who are seeking to capture your login details, and then they use these on the real site.
What can help combat a majority of cyber crimes is, in fact, multi-factor authentication, or MFA.
What is Multi-Factor Authentication (MFA)?
MFA is a form of authentication that requires you to ‘prove’ your identity using additional means, or factors, beyond a single factor such as the traditional compromisable password. MFA defines 2 or more factors to assert, or prove, your identity, such as something you have (possession), something you are (inheritance) or something you know (knowledge). There are multiple candidate factors (such as one-time password, phone message, email, FIDO factors, etc) each having their specific security levels. One time password, SMS, email, voice are proven factors with multiple security concerns which make them prone to phishing, account takeovers, and more.The most secure solution to meet the EO MFA requirements, in a timely manner, is to augment or use FIDO based solution provider such as LoginID.
What is FIDO?
FIDO or Fast Identity Online is a consortium of the world’s leading technology companies changing the way online authentication is done. FIDO has established technical standards that provide interoperable mechanisms that are far more secure and easier to use than passwords from biometrics such as fingerprints and facial scans to second factor authentication devices.
With 80% of all password breaches attributed to weak passwords, FIDO Authentication, using public key cryptography, is the answer to the world’s password problem. We won’t go into the specifics of FIDO in this article, for further information we encourage you to read our FIDO 101 article for a thorough introduction to FIDO and why it is crucial to integrate as a standard part of your business.
So, what does FIDO have to do with the Executive Order and MFA? FIDO authentication is inherently a 2-factor authentication. This is why FIDO is the preferred method for MFA:
- Supported by 4 billion devices globally
- No downloads are required by end users
- Eliminates account takeovers, man in the middle attacks, SIM swaps, etc.
- Eliminates the password reuse problem, since there are no passwords to reuse
- Reduces abandoned transactions. People abandon purchases ⅓ of the time if they can’t remember their passwords.
The FIDO specification consists of 2 components: WebAuthn and CTAP (Client to Authenticator Protocol). WebAuthn is the web API which allows users to use security keys and biometrics, while CTAP is the components’ browser used to communicate with authenticators on the device or plugged into the device.
This is how FIDO works:
FIDO leverages asymmetric public-key cryptography. So instead of putting a password on a server, FIDO authentication uses a key pair (private and public keys). The private key sits on the user device and the public key sits on a FIDO server. Unlike a password, the public key has no material value. In other words, if hackers steal a whole list of public keys, the hacker can not perform any malicious attack.
Once a user sets up a FIDO account, the user unlocks the device by basically activating the private key on the device. The user can do this by biometric or pin or any other method of verifying their device. The authentication is unique to the user and then that key pair can be matched. There’s a lot of data exchange in that interchange that is unique to the website, and to the private key, to ensure only the user with that specific device can log into the site.
Step 1 — FIDO-certified Platform Authenticator or Remote Key verifies that the site, app or service is a registered and trusted service. This eliminates the phishing problem.
Step 2 — FIDO then requests identity assertion on the device, not through the internet, to unlock the secure enclave or security system so that the private key and public key on the website, app or service can be compared (Factor 1). One of the more common methods to authenticate to the device is using Biometrics, such as Fingerprint or Facial Recognition but it could very well be a PIN code, or an external key that is FIDO enabled.
Step 3 — FIDO then exchanges the keys, which are extremely complex encryption keys, between the services. These sort of work as your ‘passwords’ but are unique to the device. In Step 2 this assertion process is unique to you.
Step 4 — When everything checks out you are authenticated with the website, app or service. All this takes place behind the scenes; from the user perspective they only have to touch their device biometric sensor or look at their phones.
FIDO is the simplest, most secure form of MFA being adopted by organizations today. FIDO allows public and private sector organizations to comply with this Executive Order and do so in a way that makes it easy for end users to adopt. We already see the explosive adoption of biometric authentication now on devices. Any phone sold today will typically have FIDO compliant biometric support out of the box.
How Does LoginID Help?
Integrating FIDO from scratch is quite complex and requires extensive knowledge of the standard, scalable server resources, plus in-house skills with many programming languages and platforms such as WordPress.
LoginID was founded to remove these barriers for developers and organizations. FIDO is simple for the end user; we wanted it to be simple for the developers and integrators as well. Our mission is to make FIDO technology available to the entire world and we knew this can only happen if it was painless. We made it painless.
With LoginID You Get:
- FIDO2 / FIDO UAF certified biometric authentication solution
- Extensive APIs and SDKs available for integration such as OpenID Connect, iOS, Android, and Web
- Detailed and thorough documentation created by developers for developers
- A scalable business model that grows with your business
- An Open SaaS plan to support start-ups
If you would like to learn more about LoginID’s FIDO2 and FIDO UAF biometric authentication, you can do so here.