Welcome back to "FedRAMP in Five," where we talk about all things FedRAMP in about 5 minutes. In our latest episode, Jackson Gorman and I delve into a topic that's capturing the attention of many Cloud Service Providers (CSPs) and government agencies alike: the adoption of phishing-resistant Multi-Factor Authentication (MFA) and the factors driving this shift. If you're looking for a more comprehensive read on Phishing Resistant MFA, check out our recent post.

The Need for Change

Historically, the digital identity guidance for authentication under NIST SP 800-63 has discouraged the use of telephony (SMS), email-based PINs, and similar methods for MFA. These methods have been documented as insecure and vulnerable to a plethora of exploits. However FedRAMP MFA providers have been able to offer these options under certain circumstances for certain user personas.

The landscape began to shift dramatically following several high-profile cyberattacks, including those by the Lapsus$ ransomware gang targeting major corporations like Microsoft, Nvidia, and Samsung. One tactic these attackers employed leverage phishing tactics including MFA fatigue and push bombing, which inundates users with authentication prompts, often leading to human error and security breaches.

CISA and Phishing-Resistance

The Cyber Safety Review Board compiled a comprehensive report on the attacks, and the need for phishing resistance in MFA, providing invaluable guidelines for industry implementation. According to CISA, solutions like FIDO2 webauthn and PKI have emerged as the standard for phishing-resistant MFA. Other methods, such as mobile push notifications without number matching, have proven increasingly vulnerable to attack.

What This Means for CSPs and FedRAMP Baselines

Per the latest updates to FedRAMP Rev5, phishing-resistant MFA is now a firm requirement. CISA’s fact sheet and the GSA phishing-resistant authenticator playbook offer a roadmap for CSPs to align with these new standards. By analyzing these resources, it's clear that the industry is moving towards a narrower set of phishing-resistant authenticators, mainly FIDO2 WebAuthn, and PKI-based solutions.

Platform vs Roaming Authenticators

It is critical to understand the distinction between platform and roaming authenticators. 

Platform Authenticators are built into the devices themselves and are supported by the devices Trusted Platform Modules (TPM), Apple's Secure Enclave, or Andoid Knox. The authenticators are typically unlocked with a biometric or other local authentication factor. Examples of Platform Authenticators include MacBook's TouchBar, Windows Hello, iOS Touch/FaceId, and Android's fingerprint/face recognition.

Roaming Authenticators are external devices like like USB hardware tokens (e.g., YubiKey) that can be used across multiple devices. Adopting hardware tokens such as YubiKey does present logistical challenges, especially for larger organizations with thousands of users. It's imperative for CSPs to evaluate options between platform and roaming authenticators thoughtfully.

The FedRAMP Baseline and Compliance

For CSPs, understanding the interplay between FedRAMP baselines and NIST guidelines is crucial. Notably:
- For FedRAMP CSPs, IA-2 and its phishing resistant mandate is now a requirement at rev5 across low, moderate, and high baselines.
- NIST 800-63 still describes AAL3 systems as requiring phishing-resistant MFA, while AAL2 recommends it.

The current guidance is not explicit about the usage of platform versus roaming authenticators, causing some confusion. The industry is watching how interpretations by the 3PAOs (Third-Party Assessment Organizations) will unfold.

The Future of Phishing-Resistant MFA

Moving forward, the industry needs more options. While Okta’s recent developments with FastPass, an implementation of PassKey, is promising, widespread adoption and clear regulatory direction will be vital in reducing vulnerabilities.

For more in-depth insights and resources, check out our recent blog post on phishing-resistant MFA. Your feedback is invaluable—if you’re grappling with these challenges, feel free to reach out to us for deeper discussions and tailored solutions.