Are feds ready for FIDO?

A Defense Department Common Access Card.

A Defense Department Common Access Card. U.S. Air Force photo by Airman 1st Class Scott Warner

The multifactor authentication standard is having a moment, but feds shouldn't expect to be able to ditch PIVs and CAC cards any time soon.

Last year, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, urged business leaders to use the phishing-resistant authentication standard developed by the FIDO Alliance, calling it the “gold standard” for multifactor authentication and “the only widely available phishing resistant authentication.” 

Using FIDO relies on a physical token attached to a device or “platform authenticators” that are embedded into laptops or mobile devices. The FIDO Alliance, the industry association behind the authentication standard, says that the protocols offer both more security and a simpler user experience than multifactor authentication that relies on a password plus a second form of authentication vulnerable to phishing attacks. Products and services from dozens of manufacturers have received certification from FIDO.

A white paper released Oct. 13 explains how federal agencies can adopt FIDO credentials internally as the government moves toward zero-trust architecture, a security policy requiring continual verification of users, devices, applications and transactions as people access government systems and networks. 

The paper, which was written by a committee set up by the FIDO Alliance at the request of the Office of Management and Budget and CISA itself, describes government use cases for FIDO authentication and outlines considerations for agencies wanting to use them as they implement zero trust cybersecurity. 

Under the 2022 zero-trust implementation memo, agencies are required to use phishing-resistant multifactor authentication for staff, contractors and partners. Accounts with weaker controls are more vulnerable to phishing scams according to recent guidance from CISA and other agencies. 

Feds shouldn’t expect to ditch their personal identity verification or common access cards anytime soon, though — the paper’s authors focus on FIDO credentials as an addition, not replacement, to the smartcards that have been around for nearly two decades.

However, adding FIDO credentials will present logistical challenges for agencies used to relying on existing infrastructure for smartcards. PIV and CAC cards also do some things that FIDO credentials aren’t meant to do, like acting as a badge for physical access control.  PIV and CAC cards are designed so that when they are removed from a computer, the device locks. FIDO standards don’t include this function.

FIDO credentials could be used by feds who aren’t PIV-eligible, are waiting for their PIV to be issued or work remotely, the new paper states.

Right now, agencies often rely on a username and password alone or a password with a weak form of authentication for those that don’t have a smartcard, or for applications that don’t easily work with such cards, said Jeremy Grant, managing director in Venable’s cybersecurity practice, and an advisor to the FIDO Alliance. 

“That exposes you to a lot of types of attacks,” he noted.

FIDO could be a model for the future of work and technology, Grant said. “PIV and CAC don’t go all the places that your employees need to go, and they don’t work on all the devices and all the apps that they need to work on.”