High-level US security agencies want IAM vendors busier on MFA, SSO
Two of the United States’ top security agencies are recommending seven general best practices for digital identity and access management (IAM) developers and integrators of multi-factor authentication and single sign-on features.
The National Security Agency and the Cybersecurity and Infrastructure Security agency (known better as the NSA and CISA) created the short list as part of a large report on major but addressable industry challenges.
The first of the seven recommendations is obvious and yet absent from most discussion about rebuffing attacks: Speak the same language.
An inexact lexicon, officials say, is interfering with MFA progress. “Clear, interoperable and standardized definitions and policies” come from standard terminology. More specifically, the agencies encourage developers and integrators to map products NIST requirements, spotlighting SP 800-63.
Second, address a “lack of clarity” related to the security properties some MFA implementations provide.
Better phishing-resistant authenticators for more use cases are needed and needed in simpler, standardized form to accelerate their adoption. They could be inserted in operating systems, for example.
Third, move from an overreliance on self-enrolment and single-use enrolment code flow, an accident waiting to happen, especially in the enterprise. Tools for cleaning up enrolment idled MFA authenticators would be a good idea, according to the report.
Fourth, the industry must also address the current tradeoff between SSO complexity and functionality. What is needed is secure-by-default SSO that is easy to use.
And the industry could become active players in spotting insecure ID federation protocols and in getting more vendors focused on the issue.
Fifth, improve deployed open standards everywhere identity. Without suggesting how, the agencies want developers and integrators to “implement broader support for the development of enterprise ID standards.
Sixth, the industry should build an open-source repository of modules and patterns that are based on open standards and can break down integration challenges.
Last, IAM developers and integrators need to make SSO capabilities accessible to smaller organizations. They could bundle organizational SSOs in pricing plans for all customers, not just the enterprise.
“Considering these guidelines, businesses must pivot toward integrating biometric authentication, such as facial or voice recognition, into their MFA process,” says Eduardo Azanza, CEO of Veridas, in a comment emailed to Biometric Update. “Facial and voice recognition offer a multifaceted solution that addresses both security and user experience concerns. They are a convenient yet highly secure means for users to verify their identity without the need for external validation codes or passwords, which often lead to frustration among individuals.
“However, it is important for businesses to choose vendors that are in alignment with certifications such as NIST, which evaluates the quality and security of their technologies,” Azanza adds. “With the best biometric technology, businesses can significantly improve their MFA methods and overall improve their cybersecurity posture.”