Content, Content

CISA Director Jen Easterly Issues Call to Action for Multi-factor Authentication, Passwordless Security

Credit: Cybersecurity and Infrastructure Security Agency (CISA)

Jen Easterly, who directs the nation’s Cybersecurity and Infrastructure Security Agency (CISA), urged Americans to “take action” to stay safe online by engaging multi-factor authorization (MFA) on personal email accounts, social media accounts, online services and “really anything with data that you care about protecting.”

Easterly: Use More Than One Password

In her blog post, Easterly reiterated the government’s call for “everyone to use more than a password.” Easterly is asking technology providers to lead the change to up the ante on security, leading by example, which some are already doing:

“For example, there are a growing number of online services that are now mandating MFA for their enterprise customers. This is a big win, and others should follow suit. We’ve known for years that any form of MFA is better than no MFA."

But MFA isn’t the complete answer to battling the scourge of cyberattacks on personal and corporate credentials. Easterly recounted “several high-profile compromises” in the last two years in which hackers bypassed traditional forms of MFA:

“Credential phishing is a sad fact of life. When dedicated, human adversaries spend enough time and effort trying to trick us, someone in your organization will eventually fall for the ruse. And it could be you.”

Along those lines, Easterly touted the work of the FIDO (Fast IDentity Online) Alliance, an advocacy group featuring many of the world’s technology leaders. The companies include Amazon, Apple, Google, Intel and Microsoft, along with numbers of business leaders. They have issued a set of "gold standard" protocols to advance passwordless authentication.

According to the FIDO, the Alliance, which formed in 2012, focuses on the “lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords.” Its mission is to provide “simpler, stronger authentication” to reduce the reliance on passwords when authenticating to online services.

Here is some of FIDO’s supporting data:

  • Passwords are the cause of over 80% of breaches.
  • Users have more than 90 online accounts.
  • Up to 51% of passwords are reused.
  • One-third of online purchases are abandoned due to forgotten passwords.
  • The average password reset costs $70 for help desk labor.

Easterly's "Asks"

Easterly posed a number of “asks” of businesses and technology companies:

"To business leaders, I urge every CEO to ensure that FIDO authentication is on their organization’s MFA implementation roadmap. FIDO is the gold standard. Go for the gold."

"To the technology vendors that power our digital lives, today, we lack visibility into MFA adoption in online services. A few services have helpfully published data, but most have not, and that lack of visibility is hurting our collective ability to truly tackle the challenges that will allow us to raise the cybersecurity baseline for the nation."

In this context, Easterly asks organizations to:

  1. Embrace radical transparency for MFA statistics. We can’t improve what we don’t measure. Simply put, we need better visibility into MFA adoption. For example, what percentage of enterprise users are using SMS vs FIDO vs an authenticator app? And how are those numbers changing quarter to quarter? It is the technology providers that can inform the whole ecosystem.
  2. Nudge end-users to use MFA. On most online services today, there is no visible difference between an account that is protected with MFA and one that is vulnerable to various attacks like password spraying. If you try to drive your car without buckling up, what happens? Your car alerts you in a way that strongly encourages you to put your seatbelt on. We need active, even aggressive nudging so when someone starts to use a new online service, they know that they need to enroll in MFA. There are some challenges here, but help is on the way. I’m watching with great interest vendors adopting FIDO “passkeys,” an extension to FIDO authentication that promises to deliver a more integrated and intuitive user experience.
  3. Nudge system administrators. On some systems, MFA adoption by system administrators is well under 50%. We need to be the burr under the saddle, a constant irritation until we get to 100% MFA adoption, with a strong bias towards FIDO authentication. System administrators are particularly high-value targets, and they need to properly protect those accounts.
  4. Ensure there are no pricing barriers to organizations adopting MFA. Every user, every customer, from the biggest companies down to the small businesses, schools, hospitals, and local governments in every community deserve to have MFA.
  5. 100% FIDO authentication for cloud services staff. Many organizations have concluded that it’s safer to move their organization’s data and services to trustworthy cloud providers. After the rash of MFA bypass compromises this year, it’s clear that being a “trustworthy” cloud provider means “we won’t lose your data, even when our staff fall for a credential phishing ruse.” Some organizations have already done that and have averted disaster. We look forward to all cloud providers bragging about how their FIDO deployments make them trustworthy!

Easterly concluded by issuing a call to action:

“The bottom line is that we need to all get in the game and work this issue together. By tackling the MFA challenge from different angles, we can significantly improve online security — and by extension our business, personal and even national security.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.

You can skip this ad in 5 seconds