A key element of the move to zero trust is the use of "strong multi-factor authentication (MFA) throughout their enterprise." While identity management has been indicated by many as the "low hanging fruit" of a zero-trust journey, it is by no means easy. In fact, recent guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) called it "notoriously difficult."
Key challenges to implementing MFA include:
- Lack of standards - the CISA/NSA guidance pointed to confusion over MFA terminology and vague policy instructions as primary challenges to implementing more secure access. A joint committee of European Union (EU) and U.S. experts addressed this same issue in the Digital Identity Mapping Exercise Report, which aimed to define specific digital identity technical terminology. For example, the group found some definitions, such as "authoritative source" and "authentication factor," are identical between the U.S. and EU, whereas others, like "identity" and "signature," remain only partially matched.
- Phishing - bad actors do not always hack the system; they hack the process, gaining entry through social-engineering tactics that grow more sophisticated by the day. The CISA/NSA report called on the vendor community to provide MFA services with additional investments and greater defenses against sophisticated attacks.
- Rise of Generative AI - The Department of Homeland Security (DHS) is working to ensure technologies can determine if a submitted image is legitimate or a hacker's spoof. This "liveness detection" is needed to ensure that a submitted selfie is really a photo of a person, not a mask, photo of a photo, or other technique to try to get past the check.
Future of Identity
PIV and CAC cards have long been accepted as an MFA practice in government, where individuals insert them into a machine and log on with an additional credential. These cards also serve as physical access to buildings, making them an efficient security tool. However, these credentials frequently lack interoperability with modern cloud systems, requiring additional log-ons and access points. Additionally, issuing physical cards can take time, delaying users' ability to get on the systems they need to do their jobs.
A new standard, FIDO, is being introduced as a path forward for identity and access in government. FIDO relies on a physical token attached to a device or "platform authenticators" that are embedded into laptops or mobile devices. This protocol can offer both more security and a simpler user experience than multifactor authentication. Products and services from dozens of manufacturers have received certification from FIDO. This approach to identity, alongside PIV and CAC use, may provide new layers of security and improve the user experience.
For more details on the evolution of identity management in government, check out these resources:
- The Value of Digital Identity Solutions for Tax and Revenue Agencies (March 12, 2024; webcast) - Each year, tax and revenue departments collect, verify, and store the personal identifiable information (PII) of millions of tax filers. This massive exchange of data puts both the agency and the individual at risk. This webcast will explore how to improve the speed and accuracy of identity authentication and how tax agencies can leverage digital identity solutions to detect and prevent fraudulent refunds.
- Strengthening Authentication for Federal Mandates (March 12, 2024; webcast) - This webinar will discuss the new Executive Order and OMB Memorandum and ways to continue hardening identity and access management.
- Identity Management Symposium (April 10-11, 2024; National Harbor, MD) - Join DoD, DHS, the Federal Government, and industry leaders in an open dialogue on the latest policy and technology developments impacting the identity and access management sector.
- The Changing Landscape of Identity Security (white paper) - Learn the ways that the evolving digital landscape is affecting identity protections, and the steps agencies can take to implement new solutions to protect users and systems from hostile activities.
- Transforming Government Experiences with Modern Identity (white paper) - Today, each government interaction typically requires a different credential, which forces users to create and manage accounts with multiple agencies. The public now expects seamless and secure digital experiences wherever they interact online. To meet these expectations and promote trust in government, modern identity solutions should be a part of every agency's modernization strategy.
- The Rise of Zero Trust (ebook) - Following recent guidance from CISA, governments at all levels are moving toward a zero-trust architecture, locking down their data, devices and cloud access, and strengthening identity and access management. This ebook discusses some of those efforts.
For more on identity management, explore additional events and resources on GovEvents and GovWhitePapers.