FIDO Alliance releases U.S. government adoption guidance on FIDO authentication

Joe Scalone

Joe Scalone

3 minute read

Many federal agencies have been using FIDO authenticators to enable secure access to systems for a variety of use cases. However, they have been deployed in varied configurations and there was a lack of guidance on how to implement the credentials. With the release of a new whitepaper, FIDO Alliance Guidance for U.S. Government Agency Deployment of FIDO Authentication, federal agencies who are looking to issue FIDO-based, phishing-resistant multi-factor authentication (MFA) solutions, such as the YubiKey to augment existing Smart Card credentials, have some help. 

In collaboration with government and industry leaders, Yubico partnered with the FIDO working group to provide guidance to help agencies wanting to deploy FIDO authenticators as a phishing-resistant technology. The whitepaper highlights areas where FIDO offers the best value to address U.S. government use cases as an enhancement of existing infrastructure, while minimizing rework, as agencies advance their Zero Trust strategies with phishing-resistant authentication tied to enterprise identity. Additional important highlights include: 

  • Review of the policy and guidance that enables the use of FIDO technology
  • A look at what agency actions need to take place before deploying FIDO, including adopting single sign-on (SSO), implementing a Digital Identity Risk Assessment Process, and implementing an integrated identity lifecycle management program.
  • Review of the FIDO-specific architectural consideration and recommended agency actions
  • Details of the user journey for someone using a FIDO credential
  • Discussion of lessons learned from previous FIDO implementations

The U.S. government has been emphasizing the importance of using only phishing-resistant MFA for almost two years, dating to the January 2022 publication by the White House Office of Management and Budget (OMB) of Memorandum 22-09. While this OMB policy enables the use of authenticators that use the phishing-resistant FIDO2/WebAuthn standards, many agencies have been lacking guidance on how to actually deploy and manage them in a PKI-centric ecosystem. That’s where this new guidance will help. 

The document will help agencies seeking to deploy YubiKeys to employees and contractors as an additional authenticator alongside Personal Identity Verification (PIV) and Common Access Card (CAC), as well as those looking to issue YubiKeys to personnel who are not PIV or CAC eligible. This is the first in a series of documents the FIDO Alliance plans to release to support federal agency deployments. 

——

To read the full whitepaper from the FIDO Alliance, visit here. See how modern security is helping the Federal Government battle rising cyber threats in our new infographic here.

, ,
Talk to our teamTalk to our team

Share this article:
  • Yubico delivers PIN advancements with new YubiKey 5 – Enhanced PIN keysTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreCompany NewsProduct NewsYubiKeyYubiKey 5 – Enhanced PINYubiKey 5 SeriesYubiKey as a Service
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselUm sich auf die sich ständig weiterentwickelnden Cyber-Bedrohungen vorzubereiten, passen Regierungen weltweit die Authentifizierungsanforderungen für Online-Dienste an und aktualisieren sie, was direkte Auswirkungen auf viele Unternehmen und deren Mitarbeiter hat. Zwar gibt es derzeit keine universelle Regelung für eine robustere Multi-Faktor-Authentifizierung (MFA), doch wird deren Notwendigkeit in einer Reihe von Anforderungen hervorgehoben, darunter PSD2, DSGVO […]Read moreYubiKey
  • An inside look at Yubico’s transition to passwordlessBefore “passkey” became a familiar term in our industry, Yubico had long delivered hardware-backed and phishing-resistant FIDO2 based authentication. Today, the adoption of passkey usage is accelerating. However, it’s taken quite a bit longer to integrate passwordless authentication into the everyday, enterprise-grade authentication flows that are required for today’s businesses.  As long as it’s been […]Read moreOktapasswordless
  • Mission matters – my reflections on winning the EY World Entrepreneur of the Year “This is the biggest mission any of the entrepreneurs have presented in this competition.”  I heard these words a few weeks ago from one of the judges for the EY World Entrepreneur of the Year award program – whom I had the honor to meet during the final step of the world’s largest entrepreneur competition.  […]Read moreawardsFounderStina Ehrensvard