Federal CISO clarifies support for standard that could make password history

The Biden administration adopts an industry-derived crypto standard that promises to make passwords a thing of the past.

Federal Information Security Officer Chris DeRusha has raised some lingering doubts about the standard’s suitability for government use as federal agencies scramble to implement an executive order imposing a new “zero trust” security concept based on the validity of the identities of individual users against the overall defenses implemented around an organization’s internal network.

The May executive order was issued largely in response to last year’s breach by federal IT management firm SolarWinds, which highlighted how dependence on passwords provides a ready attack surface for them. opponents. And more recently, the National Security Agency has warned of vulnerabilities in VPNs, which feature primarily in the traditional defense perimeter security model, creating more urgency for the transition to zero trust.

The solution in question will sound familiar to those already using a Personal Identity Verification Card, or PIV, on the civilian side or a Common Access Card, or CAC, on the military side. These security features typically contain a cryptographic key in a physical device that phishers are not able to extract from unsuspecting employees the same way they do for passwords or answers to security questions. .

Both protocols are based on public key cryptography. A call-and-answer process verifies the identity of a user by matching the key in their possession with a key only linked to a device, such as government-issued cards, USB drives, those using security technology. near-field communication or mobile phone, and stored by the entity granting access to the requested entity on a second device, such as a desktop or laptop. The industry-led protocol also facilitates the use of biometric identity validators such as fingerprints.

A key difference in the second version of an open standard for this process established by a large group of large companies that make up the Fast Identity Online Alliance — FIDO2 — is that it requires the holder of the authentication device to record their credentials. ‘Identification directly with the provider of the web services they are trying to access, instead of a centralized authority.

This raises thorny issues, such as those surrounding end-to-end encryption, which have created tensions between government and industry leaders for years.

“My question… is, well, now that we have all of these identities, and we’re trying to put them all together, if it’s going to be done in one central location, and then you ask the emperor to decide who has access to what. “Said Silas Calhoun, head of the Department of Defense Credentials and Access Management Division.” You know, this is really the problem that we are trying to analyze now. “

Calhoun was speaking at a September 16 webinar hosted by the Advanced Technology Academic Research Center on the government’s exploration of the FIDO system. He advocated for centralization, noting the need to effectively track and update the status of devices in case a key should be invalidated.

The public key infrastructure, or PKI, used by the CAC system, he said, for example, is jointly managed by the NSA, the Defense Information Systems Agency, and the Defense Manpower Data Center.

“The CAC is lost or stolen, or misused, it can be revoked and this revocation information can then be distributed to and through all the trusted parties of the DoD within the DOD network,” he said. declared. “But to my knowledge, none of these centralized infrastructures exist for non-PKIs [multi factor authentication]. “

Speaking at the same webinar, Jeff Phillips, vice president of public sector at Yubico, a supplier of FIDO-enabled devices, acknowledged that this was a gap when asked why the Institute National Standards and Technology, which guides the implementation of federal policy by agencies, has not yet explicitly approved the new system.

“It’s already very similar to PKI,” he said. “Obviously the concept of administrator is what is missing in FIDO, I think that is a limitation of FIDO. But once this administration is available and on a large scale, you will see … many larger implementations.

Other issues of scale-up and adoption also mitigate the prospect of completely removing pesky passwords in light of the more secure open standard. But for now, the government is committed to using web protocol as a second form of authentication.

The draft policy released this fall by the Office of Management and Budget for the implementation of the decree’s zero trust mandate particularly underscores the importance of such second factor authentication for government citizen services.

“To fairly balance security and usability, government systems intended for the public must offer users more authentication options,” the document read. “To this end, publicly available agency systems that support MFA must provide users with the ability to use phishing-resistant authentication. Since most of the general public will not have a PIV or CAC card, agencies will need to meet this requirement by supporting web-based authentication approaches, such as security keys.

The document also called for such secure access to be available through single sign-on for as many government officials as possible. This could lead more agencies to Login.gov, where government service users can already use FIDO keys to securely access multiple government websites.

But supporters of FIDO2 have expressed concerns that NIST did not mention the standard by name in identify mechanisms “resistant to identity theft” which, according to the OMB, are now necessary to protect against phishing attacks.

NIST did not respond to requests for comment, but the agency planned to release the latest version of its guidance on the matter – the special publication 800-63-4 – between fall 2021 and spring 2022, according to one. roadmap last updated in August. But DeRusha weighed in.

“Identity is a key pillar of the U.S. government’s zero trust strategy, and an important component of it is ensuring that federal agencies use strong multi-factor authentication that protects against phishing, one of the drivers of most common threats to businesses, ”he said. Nextgov. “To achieve this consistently, we anticipate that federal agencies will need to supplement their use of PIV with devices that support FIDO2 and web authentication standards, while phasing out weaker approaches that offer less protection against threats. real world phishing campaigns. “

As agencies make plans to comply with OMB guidelines, the FIDO system, which Google has introduced and implemented as “BeyondCorp” throughout his company in 2014, also made a strong impression with the security professionals charged with shaping their internal processes.

“I read on Google’s BeyondCorp, and it’s pretty good,” Trafenia Salzman said,

security architect at the US Small Business Administration. She was attending an ATARC webinar on September 9 and answered a question about useful resources to guide the implementation of zero trust.

At the same webinar, Davon Tyler, chief information security officer at the US Mint, agreed. When asked to address those worried that implementing zero-trust core privileged access systems would hamper speedy development cycles, he added, “I would tell them.” look what Google is doing “. I mean they’ve been doing this for years now, when it comes to agility and deploying new apps, new software leveraging zero trust. Their whitepaper is really well written to describe their journey towards this one.

The FIDO system is also having success on the new Cybersecurity Advisory Committee of the Cybersecurity and Infrastructure Security Agency. Cyber ​​security journalist Nicole Perloth and Alex Stamos, chief of the Stanford Internet Observatory and former Facebook security chief who now runs a consultancy with former CISA director Christopher Krebs, both approved for use more ubiquitous FIDO cryptographic keys at the first committee meeting earlier this month.

Industry and government panelists at the ATARC September 16 webinar said bottlenecks at the PIV and CAC issuing authorities, and the incompatibility of cards with the mobile devices on which employees are Becoming more dependent when working remotely are some of the reasons agencies are launching pilots to see where FIDO2 can fill the gaps in anti-phishing MFA.

“FIDO2 is coming to the military within two months,” said John Pretz, technical director and project manager for Identity Access Management at the Executive Office of the Army’s Information Systems Program. ‘business. “We are trying to implement it right now, everyone is trying to figure out how to deal with the different layers of the AMF,” he said, adding that the military had built a [identity credential access management] portal to manage various authentication devices used by military personnel and contractors. Army announced plans to implement FIDO keys as an alternative authenticator back in april.

Another simple reason the system might never completely replace passwords has been noted by FIDO2 enthusiasts: cost.

Pretz was worried that the key issuers would say, “Okay, you’re going to get the first token for free, but after that, if you lose it, you have to pay.” “

“The initiative to establish an acquisition vehicle to buy a large part of these tokens is also what is missing,” he said. “Because if we’re talking business, how are we going to have a cost model for business hosting in terms of these tokens? “