Federal agencies should choose FIDO as they seek to comply with the new Executive Order that requires the implementation of multi-factor authentication within the next 180 days.
By: Andrew Shikiar, Executive Director and Chief Marketing Officer, FIDO Alliance
In the face of recent attacks that have exposed areas of weakness in critical U.S. infrastructure assets, President Biden signed a new Executive Order Wednesday to help bolster the nation’s cybersecurity.
There have been a number of high profile attacks against critical American infrastructure in recent months, including the Solarwinds supply chain attack that exposed much of the government to potential risk. Top of mind in recent days is the ransomware attack against Colonial Pipeline, which significantly impacted the flow of refined oil across America. These attacks expose the vulnerability of critical infrastructure in the United States, and the Biden Administration is issuing federal directives that will minimize or eliminate risk.
A key part of the Executive Order is a requirement that agencies adopt multi-factor authentication (MFA) and encryption for data at rest and in transit to the maximum extent possible. Federal Civilian Branch Agencies will have 180 days to comply with the Executive Order and will need to report on progress every 60 days until adoption is complete. If for some reason agencies cannot fully adopt MFA and encryption within 180 days, they must report to Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA with a rationale for not meeting the deadline.
At the FIDO Alliance, we welcome today’s directive from the Biden Administration and applaud its focus on the importance of multi-factor authentication. What’s notable about this Executive Order is that the White House is prioritizing MFA everywhere, rather than limiting MFA to the PIV/PKI platform that agencies have depended on for more than 15 years. Today’s Executive Order marks an important step forward, in that it makes clear the priority is protecting every account with MFA — without mandating any specific technology. This is a notable shift, because we know that the weakest forms of MFA can still stop some attacks where passwords are the attack vector. We also know that FIDO Authentication is the only standards-based alternative to PIV for those applications that need protection against phishing attacks. This Executive Order opens the door for agencies to deploy FIDO Authentication — something we’ve heard they’ve wanted to do but have held back as use of any non-PIV authentication has not been permitted.
This isn’t the first time the U.S Government has advocated for the use of MFA and strong encryption. In an advisory issued by CISA in September 2020 on election security, the government agency noted that the majority of cyber-espionage incidents are enabled by phishing, and FIDO security keys are the only form of MFA that offer protection from phishing attacks 100% of the time.
In fact, the U.S. Government hasn’t just been advocating for the use of strong authentication with FIDO, it has actually already been implementing it since at least 2018 on the login.gov portal. With login.gov the U.S. Government is already offering a secure approach to help citizens and agencies to securely access Federal resources. In June 2019, the FIDO Alliance hosted a webinar detailing the deployment case study for login.gov, which is now even more timely with the need for agencies to adopt strong authentication in the next 180 days.
Since its inception, the FIDO Alliance has been bringing industry partners together, including every major operating system vendor as well as technology and consumer service providers across all industry verticals including financial services, ecommerce and government. All those diverse groups have been working together in common purpose to standardize strong authentication. Billions of devices around the world today can support FIDO Authentication and are ready to play their part in ensuring a strong authentication future. The fact that most major cloud providers, device manufacturers and browser vendors all ship with support for FIDO means that agencies can easily leverage MFA that is built in, rather than other products that need to be “bolted on.”
If there is one thing that the recent spate of attacks has served to once again remind us, it’s that the private sector and public sector need strong security measures to protect critical infrastructure — and the FIDO Alliance believes this begins with authentication.
We urge government agencies to adopt only the strongest forms of MFA when complying with this directive. The FIDO Alliance and its members stand ready to serve and help agencies with the education, resources and tools to implement strong authentication to help reduce risk and improve the cybersecurity posture of the U.S. Government.