How to Overcome the Three Main MFA Challenges Identified by NSA and CISA
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), along with industry partners, recently collaborated on a report, “Developer and Vendor Challenges to Identity and Access Management,” designed to provide developers and vendors of multi-factor authentication (MFA) and single sign-on (SSO) technologies with recommendations to overcome gaps in their products. The report details three main MFA challenges, which dovetail with what we’re seeing in the industry – warranting a deeper discussion on each as well as key takeaways.
Challenge 1: MFA Definitional and Policy Challenges
Takeaway: There is too much noise and too many false claims around MFA that it confuses the market.
The report’s section on “MFA Definitional and Policy Challenges” focuses on the confusing terminology and inconsistency in MFA product naming, which makes it difficult for buyers to understand what they are actually purchasing. For example, the report notes “two-factor authentication,” “2-step verification,” and “multi-factor authentication” are all terms used to describe similar capabilities.
Further, MFA vendors often don’t publicize what type of authentication mechanisms are available in their solutions or map their products to compliance requirements and frameworks, such as National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63, which classifies the strength of authenticators using “Authenticator Assurance Levels” (AAL). A key MFA framework, NIST notes that MFA is required at “AAL2” and “AAL3.”
So, because most organizations recognize that passwords are no longer secure, many want to implement some form of MFA. But, because there are so many different options to choose from, and there is no industry standard, many don’t know which is the best for their business or which fits their security needs. The report thus notes:
“Organizations often turn to forms of MFA believed to be easy to deploy, such as those based on short messaging service (SMS), without careful evaluation of the relative security differences between MFA options. There is a need for clarity, interoperability, and standardization amongst MFA variations to allow organizations to make value comparisons and to integrate these solutions into their environment.”
In summary, every vendor makes claims about being secure and user friendly, but buyers don’t know what’s true and there are no industry standards on product naming and security requirements to help them. We, as an industry, need to simplify the purchasing process for buyers by aligning on authentication terminology, doing a better job of outlining which credentials solutions support, and publicizing which NIST 800-63 AAL level to which they comply.
Challenge 2: MFA Adoption Challenges
Takeaway: Increasing adoption of strong MFA requires the industry to offer organizations passwordless, phishing-resistant authentication as an extension of existing IAM infrastructure.
The report section on “MFA Adoption Challenges” discusses the fact that not all IAM vendors provide support for all forms of MFA. So, for example, an organization can identify one method – let’s say PKI and FIDO2 authentication – but then realize its current IAM infrastructure or SSO products don’t support these technologies.
Speaking of PKI and FIDO2, the report specifically states: “One such issue is support for the strongest forms of MFA, such as those based on PKI and FIDO2 standards, in vendor products. Most IAM vendors offering SSO products support both PKI and FIDO2 authentication, but some do not. And even where such support exists, it is often incomplete.”
In this situation, vendors are faced with two options:
- Rip and replace their existing investments, which isn’t entirely realistic or good for the bottom line, or
- Scrap the MFA plan and stick with their existing password-based approach or traditional MFA model, which puts the organization at risk.
The reality that not all IAM vendors or SSO tools support all forms of MFA should not mean more money or inaction for organizations. The industry needs to offer solutions that give companies the authentication capabilities they’re looking for while leveraging the IAM technology they’ve already invested in. This is the only way to boost the adoption of strong MFA, such as passwordless, phishing-resistant authentication – which is what is now needed to defend against today’s advanced cybercriminals.
Axiad Cloud does just this with its Certificate-Based Authentication for IAM (CBA for IAM) offering. CBA for IAM supplements existing IAM ecosystems with unified passwordless authentication. There’s no rip and replace needed. Customers simply fortify their IAM investments by adding enterprise-grade passwordless and phishing-resistant MFA on top. There is no better way to bolster security while getting more out of existing technology.
Challenge 3: MFA Sustainment and Governance Challenges
Takeaway: Organizations need to make sure all aspects of credential lifecycle management are fully addressed while also offering self-service capabilities.
The last report section on MFA challenges, titled “MFA Sustainment and Governance Challenges,” addresses the process of managing MFA throughout the credential lifecycle, including when employees join and leave an organization. The report notes:
“All types of authentication credentials – including passwords – must be directly associated to user identities and their directory accounts. Robust management of this process, which is often called ‘credential lifecycle management’, is often lacking in available MFA solutions.”
The report states that many types of MFA rely on user self-enrollment, which requires one-time enrollment codes that can be susceptible to compromise. It also recommends enhancements in tools used to discover and terminate MFA authenticators that haven’t been used in a while as well as those where usage deviates from normal behavior patterns.
The point here is that MFA is only the first step for organizations in their authentication journey. The seamless management of those credentials is a critical second step. If a user doesn’t have a credential when it’s needed, they can’t authenticate, slowing productivity for employees and adding work for IT teams. When IT teams have to manually analyze user behavior and revoke authenticators at the end of a credential lifecycle, there can be a gap between when action should be taken and when it actually is – introducing security risks.
To help organizations combat this challenge, organizations need to operationalize authentication management like they would any other IT process. They can do this by implementing end-user self-service for the entire authentication management lifecycle, including provisioning authenticators, enrolling credentials, and managing account recovery and renewals.
Axiad Cloud offers these capabilities today, including:
- Axiad AirLock, which provides help desk automation by eliminating temporary passwords and offers self-service credential enrollment.
- Axiad MyCircle, which provides self-service account recovery within a trusted circle of colleagues rather than waiting for the help desk to respond.
- MyIdentities, which enables self-service authenticator lifecycle management.
These self-service capabilities not only bolster organizations’ security posture, but also help to increase operational efficiencies for users and IT teams, and reduce overall costs.
The Future of MFA
While the challenges outlined by the NSA and CISA are very real, the good news is, they are all areas that can be addressed and improved over time. By aligning on authentication terminology, offering solutions that work with existing IAM systems, and providing self-service credential lifecycle management tools, vendors can help organizations realize a safer and more secure future with strong MFA authentication.