The recent Colonial Pipeline hack once again put the importance of Multifactor Authentication (MFA) front and center for cybersecurity. President Biden’s executive order to promote the U.S.’ cybersecurity mandates MFA and encryption – a first for the public sector, and a signal for how foundational MFA is in developing an organization’s security stance.
The order is an important step in protecting U.S. agencies and the data that they work with. But agencies will likely be left to deploy the most common form of MFA used in the public sector today: Public Key Infrastructure (PKI). PKI is either the most celebrated or most dreaded term when it comes to discussing what’s next in the public sector identity security space. On the one hand, certificate-based authentication that relies on PKI has long been celebrated as the most secure method of authentication given its level of assurance (LOA). On the other hand, PKI infrastructure comes with high implementation costs. It’s also characterized by several burdensome limitations that restrict what the end-user can do with traditional PKI authenticators (smart cards), particularly when using PKI with modern devices.
We’re celebrating 60 years of PKI being used to authenticate public sector identity (and 50 years of usage in the commercial sector). That’s an extraordinarily long lifespan for any technology, particularly one that’s central to securing an organization’s assets.
So why has our sector struggled to increase the adoption of a more modern and preferred authentication standard to replace PKI as the most secure MFA?
An easy answer would be to point to PKI’s LOA and claim that no alternative meets the security requirements that it fulfills. But that real answer may simply be that we’ve forgotten that security is usually solved by an ecosystem of solutions – not one dominant standard.
PKI meets the highest LOA in both categories:
- A resource owner can assume that a specific known person is associated with certain credentials issued by a registration authority, and
- That person presented their credentials and is in control of their credentials in order to access the resource.
However, PKI has its own problems related to assurance. While the PKI certificate is tied to a verified identity, verifying that identity is generally conducted in person, at the initial point of certificate generation. Think showing up for a new job, filling out a form, and getting a picture taken for your badge. That’s a good way to begin provisioning access, but it does not easily scale and results in a significant amount of overhead, to the point that it has become a subindustry within government IT services. This gold standard of security also does not account for continuous identity verification for threat reduction as it doesn’t monitor user behavior.
FIDO: The modern way to MFA
PKI aligned with in-person identity verification and tended to work best when a user showed up in person to clear their credentials and gain access to the resources they needed to do their work. But as enterprises have moved more resources to the cloud, and the prevalence of remote work increased, another security protocol has steadily gained traction – Fast Identity Online (FIDO).
FIDO is different from PKI in that a FIDO credential is not always tied to a verified identity. Instead, it is tied to an authentication flow; that authentication flow may or may not be tied to a verified identity. The LOA depends on how a user’s identity is verified at the time of enrolling for a FIDO credential. This means that there are times when FIDO does not support the highest-level LOA enterprise use cases. However, FIDO tends to be easier to use, less expensive to implement and provides a layer of MFA to secure operations. Convenience is key to authentication: if the solution works for users, they’re more likely to use it rather than try to find ways around it.
In judging these tradeoffs, it’s important to remember that the security space is an ecosystem. PKI’s 60-year dominance is unusual, and in many cases led to a one-size-fits-all approach that doesn’t adequately address most use cases and resulted in high maintenance costs for legacy infrastructure. While FIDO is not natively tied to a verified ID, several other techniques, including ID document verification, behavior-based user verification, biometric verification, and similar solutions have gained traction in our remote world. Each of these has a more sophisticated ability to provide continuous identity verification alongside FIDO, resulting in an increasingly more secure MFA scenario compared to PKI.
We’ve already seen FIDO evolve from supporting primarily web-based resources to end-user-device log-in and on-premise apps. We expect that FIDO will continue to make advancements to its technology to cover more users and use cases. By combining these innovations with an inherently cost-effective FIDO infrastructure and support that eliminates service desk costs associated with identity binding, rebinding, and password resets, we believe that FIDO will become the most appealing modern MFA for security-conscious enterprises. It is no secret that any Enterprise IT Transformation initiative is a multi-year project.
By mandating MFA, the U.S. government has taken an important first step in securing the public agencies that so many of us rely on. But like any complex organization, public agencies should consider solutions that maximize their investments and can adapt to support long-term changes.
With the increase in recent cyber incidents, the time to modernize your identity management infrastructure is now. With a variety of multiprotocol authenticators out in the market, enterprises can begin with a hybrid protocol approach, both securing and decreasing the total cost of ownership for their identity solution, while also feeding the requirements to the cybersecurity industry, which will continue to mature the technology.