Update 8/8/2024 - For more info on Phishing Resistant MFA, checkout our latest FedRAMP in 5 episode.

What's going on with Phishing Resistant MFA?

The NIST SP 800-63 guidelines, established in 2017, gained renewed attention due to evolving cybersecurity threats and directives like Executive Order (14028). This Executive Order, and associated memos, mandates that government agencies implement security measures beyond just usernames and passwords by incorporating an additional factor, such as a unique digital component from a third-party service. Common methods include one-time passwords (OTPs), simplified authenticator recovery, biometric usage, or PINS delivered through an application, if third-party communication remains uncompromised. However, recent large-scale cyber-attacks have resulted in stricter standards for the implementation of multifactor authentication (MFA) due to growing concerns on current use of MFA by government agencies and contractors.

FedRAMP and NIST 800-53: Growing Concerns

Historically, FedRAMP solutions have focused on NIST 800-53 control families for accreditation, placing less emphasis on phishing resistance. As FedRAMP has matured, the risk of compromise in the supply chain, from cloud-to-cloud interconnections, on-prem to cloud interconnections, and users has increased. This highlights the need to reassess the trust placed in third-party authentication solutions, particularly considering emerging threats such as phishing, push bombing, protocol exploitation, and sim swapping. According to NIST, “Any authenticator that involves the manual entry of an authenticator output, such as an OTP, password, or other knowledge factor, is not considered phishing-resistant” because these authenticators are something you know, not something you are. FedRAMP has captured this in the latest FedRAMP tailored NIST 800-53 baselines with new requirements for control IA-2 and its enhancements mandating phishing resistance for MFA.

Renewed Focus on Phishing

The renewed focus on phishing stems from its rapid growth and effectiveness in bypassing existing network security measures under both FISMA and FedRAMP. Executive Order 13800 prompted the replacement of the "Cloud First" Office of Management and Budget (OMB) policy (M-11-29) to the "Cloud Smart" OMB policy (M-19-26). More detailed requirements were introduced in Executive Order 14028, as it was revealed that phishing attacks were not being taken seriously by many agencies. This prompted the OMB to issue memos like M-22-9, emphasizing zero trust, and M-21-31, focusing on alternatives to network inspection.

High-profile breaches, such as SolarWinds and Snowflake, underscore the need for heightened vigilance, as a single compromised user can undermine extensive security measures. When NIST 800-63 was published, technologies like Fast Identity Online (FIDO), Client to Authenticator Protocol (CTAP) (latest version of U2F), and Web Authentication (WebAuthn) from the World Wide Web Consortium (W3C) (FIDO2 = FIDO+CTAP) were not fully developed. These technologies now offer robust solutions for user authentication.

Current Standards and Use Cases for Phishing Resistance

While FIDO standards remain applicable and effective for general use, their deployment should be carefully considered and primarily limited to non-admin users under specific conditions. FIDO standards provide strong authentication mechanisms that significantly enhance phishing resistance by using cryptographic keys rather than passwords, thus reducing the risk of credential theft. For non-administrative users, the standard FIDO MFA implementations can be sufficient to ensure a secure and user-friendly authentication process without introducing undue complexity.

For admin users, the security stakes are considerably higher due to their elevated access privileges and the sensitive nature of the systems they manage. These users should leverage more advanced authentication methods such as FIDO2/WebAuthn or PKI-based standards, which offer stronger protection against sophisticated phishing attacks. FIDO2/WebAuthn enhances security by supporting passwordless authentication and leveraging public key cryptography to verify the user's identity. PKI-based standards, on the other hand, utilize digital certificates and encryption to provide a high level of trust and security in user authentication.

Despite the advanced security offered by these advanced standards, the current tech landscape presents limited choices for their practical implementation in FedRAMP. Furthermore, the adoption of FIDO2/WebAuthn and PKI-based standards often requires significant investment in infrastructure and training, which can be a barrier for some organizations.

Avoiding Vulnerable Solutions

Solutions to avoid due to their susceptibility to phishing include:

• SMS, voice, and email one-time passwords and PINs
  • SMS, voice, and email one-time pins have long been considered vulnerable as their susceptibility to phishing attacks, protocol exploitation, and SIM swapping is high.
• Mobile application push notifications without number matching
  • The recent emergence of push bombing has increased phishing susceptibility of commonly used mobile application “Push” MFA because of user error.
• Mobile application number matching & token time-based one-time passwords/one-time passwords (TOTP/OTP)
  • Most recently, while resistant to push bombing, protocol exploitation, and SIM swapping, TOTP/OTP have also fallen out of favor because of phishing and man-in-the-middle attacks.

The path forward involves adopting device binding with a FIDO platform authenticator, FIDO roaming authenticators, and certificate-based authentication with PKI issuers, Okta, Microsoft and products such as Yubico’s Yubikey, Identiv’s UTrust, and Google Titan, among others.

The PIV Card Process

Currently, PIV cards (or CAC cards) provide a robust PKI-based MFA solution but present challenges for organizations and general users. These cards are costly and require justification for access, along with credentials like a passport or Real ID driver's license and even additional hardware such as a reader. While government agencies and contractors can leverage PIV cards with existing infrastructure, this option may not be viable for commercial, administrative users without contract vehicles and may require development of new supporting technology, such as IdP integration with SAML/OpenID/OIDC.

Derived PIV and Interoperable Technology

Derived PIV and PIV-I technologies aim to support derived PIV and interoperable solutions, which could broaden access and enhance security measures. Derived PIV extends the functionality of physical PIV cards to mobile and remote platforms through either software or hardware (embedded or removable) cryptographic tokens offering secure and convenient access; While interoperability ensures that PIV credentials are recognized and accepted across different systems and organizations, facilitating a seamless and secure authentication experience.

Recap

*While OTP/Push is generally vulnerable to phishing attacks, CISA notes: “Authentication via app- or token-based OTP or mobile push with number matching are the best options for small- and medium-size businesses that cannot immediately implement phishing-resistant MFA.”

Alternatives to the PIV Card

Issuers of PIV-Interoperable (PIV-I) that are supported by the FISMA/FedRAMP/DoD processes are listed below (non-comprehensive, see additional issuers here [22][23]):

• DISA
• Entrust
• IdenTrust
• DigiCert
• Intercede
• Verizon
• Northrop
• Carillon

While most commercial entities entering the FedRAMP process can justify a FIDO or FIDO2/WebAuthn MFA solution, some systems may fall outside this scope and may need to procure PKI-based solutions like PIV-I or PIV-cards and readers. It’s important to weigh your options for FIDO/FIDO2 versus PKI-based authentication options based on your systems impact and assurance levels.

For more details on addressing these requirements under FedRAMP and DoD at Rev 5, particularly the emphasis on SP 800-63, reach out to InfusionPoints. If you're unsure how these changes impact you and want to discuss your options, we’re ready to assist.

info@infusionpoints.com

Affected Community of NIST 800-63

Industries impacted or referencing NIST SP 800-63 in their regulations include:

References and Helpful Links:

1. Identity Management Playbooks
2. NSA Guide on Phishing Attacks
3. NIST SP 800-63B Supplement
4. Identity Management Architecture
5. FINRA
6. Entrust
7. Intercede
8. Executive Order 13800
9. Executive Order 14028
10. OMB M-11-29
11. OMB M-19-26
12. OMB M-21-31
13. OMB M-22-09
14. CISA Fact Sheet on Phishing-Resistant MFA
15. FedRAMP Documents and Templates
16. CISA Hybrid Identity Solutions Architecture
17. Identity Management Playbooks - SSO
18. Identity Management University - PIV-I
19. NIST 800-63 FAQ
20. NIST SP 800-63B Conformance Criteria
21. Cyber.mil PKI-PKE Interoperability
22. Federal PKI Policies and Profiles
23. Frontiers in Computer Science