Page 37 - FCW, August 2017
P. 37

to users, and any MFA is better than no MFA,” said Paul Grassi, senior standards and technology adviser at NIST. “The term ‘deprecation’ con- fused people. It wasn’t clear if [SMS 2FA] was disallowed or remained allowed.”
He added that federal agencies must be aware that there are risks to using SMS for MFA and that they have alter- natives.
NIST published an early preview of its proposal and received both praise and negative feedback, Grassi said. In addition, the telecommunications, financial and security industries pro- vided guidance on how to use SMS successfully. Those actions resulted in the four-volume SP 800-63 Digital Identity Guidelines.
“NIST applied the changes and ended up landing on ‘restricted’ rather than deprecated use of SMS for 2FA,” Grassi said. “Restricted means you, the organization, are taking a risk using SMS for 2FA. Users are also taking a risk.”
The organization should offer users an alternative so that they can mini- mize that risk, he added, but NIST does not tell federal agencies which authentication factors to use. Instead, it’s important for agencies to consid- er what flavor of MFA make sense for them and what trade-offs must be fac- tored into those decisions.
Federal security researchers said NIST’s recommendation that agen- cies avoid relying on SMS delivery of one-time passwords (OTPs) does not mean an end to 2FA.
“There are other approaches that can deliver 2FA — notably push- based OTP, which sends a code to a mobile device usually via a dedicated mobile app,” said Merritt Maxim, a senior analyst at Forrester Research. “But it is cryptographically signed and not delivered via the SMS chan- nel so it avoids the SMS delivery vul- nerabilities.”
Google Authenticator is one exam- ple of a 2FA mobile app.
DOD’s CAC experience proves instructive
Before Terry Halvorsen retired as CIO of the Defense Department in Febru- ary, he commissioned a plan for DOD to stop using Common Access Cards as an authentication factor. Although the plan was still a work in progress at the time of his departure, CACs’ lack of agility prompted him to draw some broad conclusions about NIST guide- lines, SMS 2FA and MFA.
“DOD and certain federal networks already exceed NIST network security requirements,” said Halvorsen, who is now an executive vice president and CIO at Samsung. “DOD has CAC, PIN and other multifactor authentica- tion methods. 2FA is not a big deal for some parts of federal networks. They’ve already completed this journey.”
Overall, he said he believes there will not be a standard MFA for the federal government and that each agency will instead work with security vendors to find the most effective solution.
“In general, you will move to MFA in conjunction with technology that makes it easy to use,” Halvorsen said. “Certain government agencies will go beyond easy-to-use MFA to leverage their mission. They are moving to get rid of passwords and go to biometrics, voice recognition, facial recognition and behavior-based movement of hands” for authentication.
Although DOD is headed toward MFA, officials will not say which MFA factors to use. Halvorsen said pass- words have been supplanted as an authentication factor, however, and could fall out of use entirely. Replace- ment options could include iris scan- ners, fingerprint readers, facial recog- nition and other authentication factors that are becoming easier to use.
“Authentication can use a combina- tion of biometrics, user behavior and cross-referenced user data that is easily available,” Halvorsen said. “For exam- ple, say your phone is locating you in Los Angeles, and now there’s a login from Europe. We’re sure it’s not you.
Data analytics engines at a high level will authenticate.”
Eventually, Halvorsen said it would be ideal if users were not even aware of authentication activities, and he believes we will not need passwords or challenge questions to authenticate users in the future.
The weakest link in MFA
Federal networks are only as strong as the weakest people accessing them, which makes humans the weak link in security.
“So long as authentication is based primarily on human-defined and -man- aged passwords, our systems will be compromised,” said Phil Quade, chief information security officer at Fortinet. “Despite persistent training and warn- ings, passwords are almost always com- promised because they are too easy to guess, used for too long — extending the duration of exposure of compro- mised passwords — and repeated across different accounts, allowing a compromise on one machine to lead to compromises on others.”
Debra Marchese, vice president of information systems at federal con- tractor UTRS, said, “Everyone is try- ing to get a handle on how we protect systems. There are different levels of protection. No matter how many layers of security you have, vulnerability [will] always exist if users don’t have good cyber hygiene and don’t have a vested stake in securing systems. If it’s too difficult, people will find a way around security to get their job done. Bottom line: It comes down to end users.”
From her point of view, proper net- work security must be part of everyday computer use rather than something that is addressed once a year by top leaders. And the only way to do that is to have an appropriate level of invest- ment in people. Unfortunately, Mar- chese said that approach runs counter to how the federal government arranges its priorities.
The first thing federal agencies take into account is cost. “They’re worried
August 2017 FCW.COM 31


































































































   35   36   37   38   39