Next Level MFA: FIDO Authentication

If you follow @CISAgov or @CISAJen on Twitter, you know how passionately we’ve been advocating for everyone to use MORE THAN A PASSWORD!

Many of us know that enabling multi-factor authentication is the single most important thing Americans can do to stay safe online. As I’ve been traveling the country this Cybersecurity Awareness Month, encouraging Americans to take action to stay safe online, this is my biggest ask: Enable MFA on your email account, your bank account, your social media accounts, and really anything with data that you care about protecting. We’re all in this together – in fact, last year President Biden directed all federal agencies to focus on adopting MFA and we’re hard at work driving improvements across the government toward this goal.

MFA by the numbers

While much of our focus this October has been on individuals, when it comes to MFA, technology providers should really be out front here, leading by example, and it’s been great to see some of the industry trendsetters leaning forward on MFA adoption. For example, there are a growing number of online services that are now mandating MFA for their enterprise customers. This is a big win, and others should follow suit. And while we celebrate and encourage industry leadership in MFA adoption, we can still do more.

For example, one top vendor reports that only about a quarter of their enterprise customers have enrolled in MFA. More significant is their report that only about 1/3 of the system administrators of those organizations use MFA. 

Recent attacks

Even with MFA enabled, however, there have been several high-profile compromises over the past couple of years where attackers were able to bypass traditional forms of MFA, such as SMS texts, authenticator apps, or push notifications. These compromises surprised some observers, but really, it was only a matter of time. In fact, there are widely available “MFA bypass toolkits” that reduce the cost of attack. Unfortunately, we expect to see more and more such compromises. Credential phishing is a sad fact of life. When dedicated, human adversaries spend enough time and effort trying to trick us, someone in your organization will eventually fall for the ruse. And it could be you.

We’ve known for years that any form of MFA is better than no MFA.  That’s still true, but we’ve also known that at some point “traditional MFA” would become “legacy MFA” and need to be reassessed or even replaced. Luckily a group of companies formed the FIDO Alliance to create a phishing-resistant form of MFA. They’ve been able to bake FIDO protocols into the operating systems, browsers, phones, and tablets that you already own. And FIDO is supported on dozens of online services. Organizations large and small are starting pilots and even completing their rollout to all staff.

At CISA, we talk often about resilience. We have to accept that even with all the planning and exercising to keep our systems, data, and infrastructure safe, it is still true that bad things will happen, like an employee in your organization falling for a phishing email. The reason FIDO is so valuable is because even when this happens, the attack will still fail.

This week the FIDO Alliance is hosting their annual Authenticate conference in Seattle, and we’re taking advantage of the event to shine the spotlight on FIDO as the gold standard for MFA and the only widely available phishing resistant authentication.

Where do we go from here?

So, with this clarity, I make a few asks:

To business leaders: I urge every CEO to ensure that FIDO authentication is on their organization’s MFA implementation roadmap. FIDO is the gold standard. Go for the gold.

To the technology vendors that power our digital lives: Today, we lack visibility into MFA adoption in online services. A few services have helpfully published data, but most have not, and that lack of visibility is hurting our collective ability to truly tackle the challenges that will allow us to raise the cybersecurity baseline for the nation. In this context, we ask you to:

1. Embrace radical transparency for MFA statistics: We can’t improve what we don’t measure. Simply put, we need better visibility into MFA adoption. For example, what percentage of enterprise users are using SMS vs FIDO vs an authenticator app? And how are those numbers changing quarter to quarter? It is the technology providers that can inform the whole ecosystem.
2. Nudge end-users to use MFA: On most online services today, there is no visible difference between an account that is protected with MFA and one that is vulnerable to various attacks like password spraying. If you try to drive your car without buckling up, what happens? Your car alerts you in a way that strongly encourages you to put your seatbelt on. We need active, even aggressive nudging so when the someone starts to use a new online service, they know that they need to enroll in MFA. There are some challenges here, but help is on the way. I’m watching with great interest vendors adopting FIDO “passkeys,” an extension to FIDO authentication that promises to deliver a more integrated and intuitive user experience.
3. Nudge system administrators: On some systems, MFA adoption by system administrators is well under 50%. We need to be the burr under the saddle, a constant irritation until we get to 100% MFA adoption, with a strong bias towards FIDO authentication. System administrators are particularly high-value targets, and they need to properly protect those accounts.
4. Ensure there are no pricing barriers to organizations adopting MFA: Every user, every customer, from the biggest companies down to the small businesses, schools, hospitals, and local governments in every community deserve to have MFA.
5. 100% FIDO authentication for cloud services staff: Many organizations have concluded that it’s safer to move their organization’s data and services to trustworthy cloud providers. After the rash of MFA bypass compromises this year, it’s clear that being a “trustworthy” cloud provider means “we won’t lose your data, even when our staff fall for a credential phishing ruse.” Some organizations have already done that and have averted disaster. We look forward to all cloud providers bragging about how their FIDO deployments make them trustworthy!

The bottom line is that we need to all get in the game and work this issue together.  By tackling the MFA challenge from different angles, we can significantly improve online security—and by extension our business, personal and even national security.