US cyber safety board wants feds more involved in eliminating passwords
A U.S. cybersecurity agency has issued a full-throated endorsement of private – namely FIDO Alliance — and government standards-making to end the use of passwords once and for all.
It is calling for a significant change in how government has interacted with the data industry since at least the birth of the public internet.
Members of the Cyber Safety Review Board have published a far-reaching report calling for, among other things, national rules to safeguard identity. They are calling for a “secure authentication roadmap.”
A lack of universally adopted standards is a situation that U.S. government and businesses can no longer tolerate. The review board is a body with the Cybersecurity & Infrastructure Security Agency.
The board writes that the “roadmap should include standards and frameworks, guidance, tools, and technology specific to organizations’ needs and circumstances that account for size, industry, threat profile, as well as privacy and civil liberties considerations.”
While the federal government creates or adopts all kinds of standards for industry – for drinkable water, for instance – it has largely left the information technology industry to compete its way to effective digital identity standards. That’s especially true with foundational matters requiring coordination.
It’s doubtful the executive, legislative or even judicial branches will go along with the proposed activist role in an age when state and local governments are buffeted by fractious electorates who do not even agree on the danger of Covid.
That probably leaves CISA officials doing what they can to support the FIDO Alliance and like organizations.
The review board calls for application developers to make consumer devices FIDO2 compliant with hardware-backed components by default, for example.
Another guideline mentioned, this one aimed at reducing social engineering, is to make it a requirement to create an explicit authentication process using FIDO2-compliant tokens or other phishing-resistant multi-factor authentication methods.
Article Topics
cybersecurity | FIDO2 | multifactor authentication | passwordless authentication | passwords
Comments