The US Government’s Office of Management and Budget recently issued its Draft Zero Trust Strategy, which would require that Federal agencies only use multi-factor authentication that is phishing resistant. This strategy comes on the heels of a number of other actions from the Executive Office of the President including a cybersecurity executive order in May. This executive order directed federal agencies and those companies doing business with them to fully embrace a move toward modern, multi-factor authentication (MFA).
The sense of urgency we’re seeing from the U.S. government is no surprise. With 2021 having experienced very high profile security breaches and incidents like SolarWinds and the Colonial Pipeline hack, these moves are another wake-up call in the importance of implementing phishing resistant technologies including Smart Cards and FIDO2/WebAuthn.
We know the data breaches will keep coming. But the big question remains open: Will this “get serious” moment spur the market to move closer to a world in which a single authenticator and credential is used across multiple applications?
Below walks through the critical needs, problems, solutions and Yubico’s authentication innovation journey supporting these new directives.
Phishing – the single largest cyber threat
The vast majority of all cyberattacks, including ransomware, starts with stolen login credentials. In a world that is moving to the cloud, our work, personal and government communication systems are today now accessible for anyone on the internet. Of all the different cyber attacks, credential phishing is by far the largest problem.
On May 12, 2021, President Biden signed the Executive Order (EO) 14208, one of the most detailed and comprehensive directives to address the risk of cyber attacks against the United States. One of the first actions was to mandate all US government agencies implement multi-factor authentication (MFA) within 180 days. Those who cannot meet the November 8th deadline, are required to provide reports every 60 days until they have fully deployed MFA.
The executive order also required the Office of Management and Budget (OMB) to develop a plan to implement a Zero Trust architecture and strategy. On a high level, this expands the security requirements beyond the IT system to every end point and user accessing the system. The Draft Federal Zero Trust Strategy that was released for public comment in September 2021 stated that MFAneeds to be phishing resistant. The OMB stated, “agency systems must discontinue support for authentication methods that fail to resist phishing, such as protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.”
Phishing resistant MFA, based on public/private key cryptography, significantly reduces the attacker’s ability to intercept and replay access codes as there are no shared codes. Additionally, the authentication action can only occur between the user’s device and the site they are going to. The phishing resistant technologies specifically mentioned in the OMB strategy draft are PIV Smart Cards and the FIDO2 WebAuthn standard.
PIV smart cards – traditional and modern
Cryptography based on Public Key Infrastructure (PKI), where private key material resides within a hardware device, has been a cornerstone of secure systems for over 25 years. This technology is not only used to access computers but also for passports, credit cards, SIM cards and physical access control. PKI security continues to stand up to the test of time, but while complicated to use for centralized networks, it has clear limitations for web and mobile authentication.
To help change that, Yubico contributed to the NIST special publication (SP 800-157) expanding the PIV smart card trust model to other hardware devices, known as derived credentials.
With the recent improvements of Apple’s CryptoTokenKit on iOS, users can use a derived PIV credential on a FIPS validated YubiKey to both computers and iPhones using USB A/C, NFC and for Lightning communication. The robust YubiKey design also provides strong authentication in harsh conditions and where smart card readers are not available or cannot be used. To further innovate and help expand the use of smart cards, Yubico added device attestation, allowing generated cryptographic keys to be verified for authenticity, and a touch sensor, ensuring the presence of a real human user.
WebAuthn & FIDO – the next generation phishing protection
Historically, implementing and deploying PKI-based schemes for web services has been complicated, resulting in a myriad of proprietary and incompatible solutions. To address this and ensure compatibility across platforms and devices, Yubico has been instrumental in creating FIDO/WebAuthn open standards together with leading platform providers.
In 2008, we launched the YubiKey, the first USB security key, including a touch sensor for user verification and without the need for client software or drivers. We made it easy for service and software providers to make support for our invention by publishing free and open source servers. Two years later, to expand the use across computers and phones and offer increased security, we started developing support for NFC and public key cryptography.
In 2011, Yubico initiated a development with Google security team to bring public-key cryptography to the YubiKey. During these discussions, Yubico presented the new concept of enabling a security key, or other “light hardware” authenticator to authenticate to any number of services, without any shared secrets. Yubico’s invention was supported by cryptographic expertise from NXP, who also supported the idea of making it into a global standard. The protocol was further developed in collaboration with Google, who deployed it with YubiKeys for their employees.
In 2013, the protocol was contributed to FIDO Alliance under the name U2F (Universal 2nd Factor) where it eventually evolved into FIDO2, including passwordless login, and later adopted by W3C under the name WebAuthn.
Yubico, the tech giants & the White House – phishing resistance at scale
The YubiKey, FIDO2 and WebAuthn are today supported by all leading platforms and browsers and hundreds of cloud and IAM services. Yubico, Google, Apple and Microsoft are the core members of the WebAuthn technical working group. The YubiKey is today deployed with either PIV and/or WebAuthn by 19 of the 20 largest US based Internet companies and IAM vendors. The majority of these customers are also Yubico partners, and have support for phishing resistant technologies proposed in the Federal Zero Trust Strategy .
With a strong desire by the White House to improve the security of American IT systems, President Biden met in August with the largest technology platforms and other leading firms supporting critical infrastructure. Shortly after that meeting, a White House fact sheet noted that AWS will be offering FIDO security keys to their administrators, knowing that these keys provide strong protection from phishing attacks.
After 14 years of security innovation, and 10 years of standards development, Yubico is uniquely positioned to deliver trusted, FIPS-validated phishing resistant authentication solutions across devices and services. The demand from our customers and partners has never been higher. We have prepared for this day to come and have millions of YubiKeys ready to ship. This global phishing resistance movement could not have happened without the Yubico team, the tech giants, the US government and the global open standards community. We are excited to expand the concept of Zero Trust to the Key to Trust.
Sign up for the Yubico webinar on March 3, 2022 — Securing America’s Supply Chain — to learn more about how organizations can adopt modern MFA best practices, as a crucial element of Zero Trust, in order to secure critical infrastructure and supply chains, and comply with the White House Executive Order #14028, CMMC, and the July 2021 Directive from the Transportation Security Administration.