This week saw the FIDO Authenticate conference take place in Seattle. I attended via the virtual remote route, going through the vast majority of the sessions from the comfort of the office. A few items that stood out for me.
How to Improve MFA Adoption?
A clear rallying call from a lot of the talks, was yes MFA understanding is mature in many large enterprises and in public facing, social media and consumer projects, yet adoption rates still need improving. It seemed a large component of the narrative was on still trying to raise awareness of the benefits, case studies of how to roll out large scale MFA and the near continuous commentary covering the obvious vulnerabilities associated with passwords. The audience seemed primarily IAM related practitioners. Is it time these messages were crafted for different audiences – thinking enterprise architects, digital owners, information leaders and application owners?
Strong MFA Trumps Pure Passwordless
We all hate passwords. End users, application engineers, identity folks you name it. The Cyber Hut has researched this area extensively in the last 12 months (see our buyer guide and Signals Tracker) yet it seems passwordless flows in their entirety may still be a luxury. The ability to implement strong MFA that overlays existing shared secrets infrastructure for both consumers and workforce ecosystems seems the main priority.
Cryptographic based challenge response authentication is bar far more secure than passwords. Alas not all authentication techniques are entirely secure. An interesting potential attack vector is to manipulate the pubic key mappings on the identity profile. The identity store will contain reference to the public key that is used to trigger proof of possession of the corresponding private key. What if that public key was switched? If adversary Bob manages to gain access to the profile store and replace target Joe’s public key with his own, an authentication challenge to Joe can be successfully respond to by Bob – allowing Bob to effectively use that session or post authentication flow. How many organisations can identify this has happened (activity logging) or indeed be protecting this from happening in the first place (write restrictions, integrity protection of entries)?
NIST Identity Guidelines Updates
The NIST 800-63 series of documents have been a main stay not just for US federal implementations of identity, but for many private sector organisations, looking for a model for authentication, proofing and federation. The docs are in the process of being updated. It seems the main structure will remain, but with an increased focus upon real world implementations, counter phishing and fraud points (with a focus on continuous security), the risk of the individual (as opposed to just organisational risk) and improved biometric performance requirements.
Phishing Resistance – Definitions
Back in January, the US Office of Management and Budget released a memo regarding the move to adopting zero trust principles. The TLDR was essentially “…Agencies must use strong MFA throughout their enterprise. MFA must be enforced at the application layer, instead of the network layer. For agency staff, contractors, and partners, phishing-resistant MFA is required. For public users, phishing-resistant MFA must be an option.” This prompted nearly every single MFA provider on the planet to say they were phishing resistant and buying them alone will solve the worlds authentication problems. The definition of phishing has come under a bit of a spotlight it seems during the Authenticate event. Does it mean replay attack prevention? Does it mean the prevention of credential theft? Does it mean the preventing of a response to an authentication challenge by an unverified website or relying party? My money is on the latter, but the debate is seemingly ongoing.
Maturity and Assessment
Authentication has been around since commercial computing – alas with the dreaded username and password or PIN. With the movement towards omnipotent MFA, it seems a nascent demand for maturity assessments and frameworks may be emerging. It’s an area The Cyber Hut are investing in and will be releasing an Authentication Assessment solution in Q1 2023 to address the technical training, framework and workshop lead analysis required to discover, design and procure authentication systems. The assessment aspects emerging this weak tended to focus upon the discovery of users (high risk and the impact of them being breached) versus the level of security available in the authentication modals chosen for them. It’s an area we’re researching in detail, so watch this space.
Another topic that caught my eye, where the 2 or three talks by Microsoft, Google and others on passkeys – the ability to provide backup and sync capabilities alongside the typical device specific focus of FIDO2. It seems (quite logically) that each provider will have their own passkey implementation and the discussions were typically around what passkeys are, how they work and how to implement. The passkeys.dev site has some nice material to explain this better than I could with some vids and detailed documentation.