Federal CISO Clarifies Support for a Standard that Could Make Passwords History

The Biden administration is embracing an industry derived cryptography standard that promises to make passwords a thing of the past.  

Federal Chief Information Security Officer Chris DeRusha cleared up some lingering uncertainty over the standard’s suitability for government use as federal agencies work to implement an executive order mandating a new ‘zero trust’ security concept based on the validity of individual user identities versus blanket defenses built up around an organization’s internal network. 

The May executive order was issued largely in response to the breach last year of federal IT management firm SolarWinds, which highlighted how reliance on passwords provides a ready attack surface for adversaries. And more recently, the National Security Agency warned of vulnerabilities with Virtual Private Networks—dominantly featured in the traditional perimeter-defense security model—creating more urgency for the move to zero trust. 

The solution in question will sound familiar to those already using a Personal Identity Verification, or PIV, card on the civilian side or a Common Access Card, or CAC, on the military side. These security features typically house a cryptographic key in a physical device that phishers aren’t able to extract from unsuspecting employees in the same way they do passwords or answers to security questions. 

Both protocols rely on public key cryptography. A call and response process verifies a user’s identity by matching the key in their possession with one uniquely tied to a device—such as the government issued cards, USB sticks, those using near-field communication technology, or a mobile phone—and stored by the entity that grants access to the requested entity on a second device—such as a desktop computer or laptop. The industry-led protocol also facilitates the use of biometric identity validators such as fingerprints.  

An essential difference in the second version of an open standard for this process established by a large group of major companies that form the Fast Identity Online Alliance—FIDO2—is that it requires the keeper of the authenticating device to register their identifying information directly with the provider of the web services they’re trying to access, instead of a centralized authority.

That raises thorny issues, such as those surrounding end-to-end encryption, that have created tension between government and industry leaders for years. 

“My question … is, well, now that we have all these identities, and we're trying to basically corral them all, should it be done in one central location, and then you kind of have the emperor decide who has access to what,” said ​​Silas Calhoun, chief of the Defense Department’s identity credential and access management division. “You know, that's really the problem set that we are trying to analyze now.”

Calhoun was speaking during a Sep. 16 webinar the Advanced Technology Academic Research Center hosted on the government’s exploration of the FIDO system. He made a case for centralization, noting a need to effectively track and update the status of devices in the event a key needs to be invalidated.  

The Public Key Infrastructure, or PKI, used by the CAC system, he said, for example, is managed jointly by the NSA, the Defense Information Systems Agency and the Defense Manpower Data Center.  

“The CAC is lost or stolen, or misused, it can be revoked and this revocation info can then be distributed to and across all of the DoD relying parties within the DOD network,” he said. “But to my knowledge, none of this centralized infrastructure exists for non-PKI [multi factor authentication].”

Speaking at the same webinar, Jeff Phillips, vice president of public sector for Yubico, a vendor of FIDO friendly devices, acknowledged the centralization issue as a shortcoming when asked why the National Institute of Standards and Technology—which guides agencies’ implementation of federal policy—hasn’t yet explicitly approved the new system.    

“It's very similar to PKI already,” he said. “Obviously, the concept of administrator is what's missing in FIDO, I think that's a limitation of FIDO. But once that administration is out there, and in scale, you're going to see … a lot of larger implementations.” 

Other scaling and adoption issues also dampen the prospect of doing away with pesky passwords altogether in light of the more secure open standard. But for now, the government is committed to employing the web-based protocol as a second form of authentication.

Draft policy the Office of Management and Budget issued this fall for implementing the executive order’s zero trust mandate particularly emphasizes the importance of such second factor authentication for the government’s citizen services. 

“To equitably balance security and usability, public-facing government systems need to offer users more options for authentication,” the document reads. “To that end, public-facing agency systems that support MFA must give users the option of using phishing-resistant authentication. Because most of the general public will not have a PIV or CAC card, agencies will have to meet this requirement by providing support for Web Authentication-based approaches, such as security keys.”

The document also called for such secure access to be available through a single sign on for as much of the government as possible. That could drive more agencies to Login.gov, where users of government services can already use FIDO keys to securely access multiple government websites.

But supporters of FIDO2 have expressed concerns that NIST did not mention the standard by name in identifying the “verifier-impersonation resistant” mechanisms that OMB says are now required to protect against phishing attacks. 

NIST expected to issue the newest version of their guidance on the issue—Special Publication 800-63-4—some time between the fall of 2021 and the spring of 2022, according to a roadmap last updated in August. The agency did not respond to requests for comment. But DeRusha weighed in.

“Identity is a key pillar of the U.S. government’s zero trust strategy, and a significant component of that is ensuring federal agencies use strong multi-factor authentication that defends against phishing, one of the most common enterprise threat vectors,” he told Nextgov. “To achieve this consistently, we expect that federal agencies will need to complement their use of PIV with devices that support FIDO2 and Web Authentication standards, while phasing out weaker approaches that provide less protection against real-world phishing campaigns.”

As agencies develop plans to comply with OMB’s instructions, the FIDO system, which Google introduced and implemented as a key part of “BeyondCorp” across its enterprise back in 2014, has made an impression with the security professionals in charge of shaping their internal processes as well.

“I've read up on Google's BeyondCorp, and that's been pretty good,” said Trafenia Salzman, security architect at the U.S. Small Business Administration. She was participating in a Sep. 9 ATARC webinar and responding to a question about useful resources for guiding zero trust implementation. 

At the same webinar, Davon Tyler, chief information security officer at the U.S. Mint, agreed. Asked to address those concerned implementation of the privileged access systems at the core of zero trust would hamper speedy development cycles, he added: “I would tell them ‘look at what Google is doing.’ I mean they've done it for years now, when it comes to agile and deploying new applications, new software leveraging zero trust. Their white paper is really well written to describe their journey towards it.”

The FIDO system also has traction within the Cybersecurity and Infrastructure Security Agency’s new cybersecurity advisory committee. Cybersecurity journalist Nicole Perloth and Alex Stamos, leader of the Stanford Internet Observatory and former Facebook security chief who now runs a consulting firm with former CISA Director Christopher Krebs, both endorsed more ubiquitous use of FIDO cryptographic keys during the committee’s first meeting earlier this month.

Industry and government panelists on the Sep. 16 ATARC webinar said bottlenecks at PIV and CAC issuing authorities, and the incompatibility of the cards with mobile devices that employees have become more reliant on while working remotely are some of the reasons agencies are starting pilots to see where FIDO2 can fill gaps in phishing-proof MFA. 

“FIDO2 is coming for the Army within two months,” said John Pretz, technical director and project officer for identity access management at the Army’s program executive office for enterprise information systems. “We're trying to implement it right now, everybody's trying to figure out how to deal with the different layers of MFA,” he said, adding that the Army has built an [identity credential access management] portal to manage various authentication devices in use by the military personnel and contractors. The Army announced its implementation plans for FIDO keys as an alternative authenticator back in April.

The FIDO2 enthusiasts noted another simple reason the system may never fully replace passwords: cost.

Pretz was wary that issuers of the keys might say, “‘Okay, you’re going to receive the first token free, but after that, if you lose it, you have to pay.’”

“The initiative to establish an acquisition vehicle to purchase a bulk of these tokens, that's what’s missing, too,” he said. “Because if we're talking enterprise, how are we going to have a cost model for enterprise accommodation when it comes to these tokens? That's where a lot of questions are coming now.”