United States government employees will soon be required to use a stronger measure of multi-factor authentication to access their work accounts, most likely a hardware security key. Aimed at putting an end to phishing, the measure is phasing out less secure forms of secondary authentication such as SMS text messages and app-based authenticators that generate one-time codes.
The measure is an early move in a broader campaign to shift government systems to a “zero trust” architecture that will have users and devices verify upon each connection to a network, even if previously authorized. Phishing is an early focus of this project due to the increasing sophistication of threat actors in both methods used and means of researching and targeting specific government employees.
Government employees get new anti-phishing tools amidst cyber crime wave
The Office of Management and Budget (OMB), which is heading up the security improvement efforts, has reportedly not settled on an exact multi-factor authentication standard yet but is reportedly looking at hardware keys. These keys would have to be physically inserted into a USB or similar port at the time of login to verify the government employee’s identity; they generally retail for about $20 to $40 each. The OMB Federal Zero Trust Strategy paper does not mention specific brands, but does touch on using PIV (Personal Identity Verification) card and WebAuthn as a standard for a hardware-based system.
Though phishing has become much more targeted and sophisticated, one of the OMB’s primary concerns is automated and inexpensive attacks that can be scaled when victims are found. Even these relatively simple attacks have the ability to convincingly spoof government websites and capture multi-factor authentication tokens sent over text message or email.
While the methods are not simple, there are ways to intercept multi-factor authentication tokens that are provided to the end user in some visible form from a remote server. SMS text messages can be read via a SIM swapping attack, which allows a remote attacker to get into a victim’s phone communications with social engineering and with no physical access to the actual device. Bots have also been used to trick targets into providing their one-time codes over the phone or over the web to an attacker posing as a legitimate organization. And successful phishing of a government employee’s home email account or personal device could lead to interception of a one-time token issued for a work login.
As part of the phishing protection campaign, agencies are also tasked with implementing an enterprise-wide single sign-on (SSO) method to be integrated into applications and common platforms. Agencies are required to use open standards (such as SAML or OpenID Connect) and options that can be integrated into external cloud services as needed.
The cost would stand to go well beyond the hardware tokens, however. An astounding amount of equipment, a good deal of it legacy systems that are already badly outdated from a security perspective, could require hardware modification to make use of a standardized multi-factor authentication system. Some 1.8 million government employees would also need training, to say nothing of contractors that might also be required to participate in the system. This could be a difficult sell for an administration already in the midst of fighting to pass a record spending bill.
Multi-factor authentication is the first brick in a zero trust strategy
Impersonation-resistant multi-factor authentication is a key component of President Biden’s recent cybersecurity executive order, which established new requirements for industries connected to national security and the utility grid. And more measures are on the way as the administration seeks to tamp down on a spike in phishing of government employees and contractors; the Verizon 2021 Data Breach Investigations Report found that the vast majority of public sector breaches in 2020 were due to credential theft and social engineering.
Federal agencies have never before implemented a zero trust system, so the process of changing over may not be entirely smooth.
Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4, had some advice to offer on potential pitfalls: “If I, as an attacker, can trick you into clicking on the wrong link, it’s game over, just like it is with passwords and SMS-based MFA. So, don’t start jumping to conclusions that getting rid of SMS-based MFA and using hardware-based MFA is the answer. That’s just setting yourself and others up for failure and disappointment. Every type of MFA can be hacked multiple ways. Pick an MFA method that is less susceptible to hacking…like FIDO2 (which is involved with the WebAuthn standard mentioned), but understand that they are and will always be ways to hack and bypass them. Pick a good solution that is less resistant to hacking and then educate all government employees involved with your MFA project…senior management, sysadmins, the buyers, the implementers, the operators, and end-users, about the ways that the MFA method you selected to deploy can be hacked, and give education on how to avoid those types of attacks. You wouldn’t send your end-users out there with passwords and not tell them how to prevent being attacked. But most MFA implementers don’t give the same education and caution to their end-users and stakeholders, and that’s just asking for trouble. You would be amazed how easy it is to hack or bypass most MFA solutions…and in the same vein be amazed how just a little education can go a very long way to preventing those hacks. You just have to do it.”
The first OMB zero trust strategy draft was published in September, with a five-point strategy that is expected to be implemented by late 2024. Identity practices for government employees, such as the new multi-factor authentication requirements, are first on the list. In the coming three years the government is also expected to inventory and bolster the security of all of its devices, implement encryption on all networks, revise policies for testing and use of applications, and improve data handling practices to include the increased use of cloud-based security. Government agencies have already been asked to submit implementation plans and budget estimates for the full rollout period, and to appoint a lead.