Digital IDs mean manageable and critical change, FIDO tells US federal security leaders
Clearly appreciating that it was selling digital authentication to data-security officials in the inertia-guided U.S. federal bureaucracy, a FIDO Alliance panel speaking in a webinar spent a lot of time telling them not to panic.
New anti-phishing procedures are on the way, the panel said, but they come with practical levels of flexibility and don’t require replacing time-honored personal ID verification (PIV) credentials and common access cards.
The alliance members, in an accompanying white paper, stipulated that implementing single sign-on, life-cycle management, and digital identity risk assessments “are table stakes for federal zero trust implementations and prerequisites for U.S. government FIDO deployments.”
The panel discussion followed publication of the white paper, which is both detailed and high-level, giving bureaucrats guidance in deploying FIDO authentication. Both are results of a request by the White House to help accelerate FIDO systems and processes.
What has been delivered is more nuanced.
If PIV and CACs are already meeting your needs, that’s great,” said Tom Clancy, an engineer with government researcher Mitre and a panelist.
“Think about FIDO authentication as a replacement for phishable authentication,” Clancy said, “not as a replacement for PIVs and CACs.”
The white paper states that the goal should be “narrowing” what methods government employees use for multi-factor authentication. A better way of putting it would limiting ineffective tactics.
Digital ID credential and access management should include any step that is resistant to phishing, a component of the government’s zero trust strategy.
Agencies need to figure out which FIDO authenticator best fits their needs, said Zach Martin, a panelist and senior policy advisor at the law firm Venable.
Clancy and Martin were joined on the webinar’s panel by Teresa Wu of Idemia, who is also co-chair of the FIDO Alliance’s Government Deployment Working Group, Lisa Palma of LC&J Security Solutions and Joe Scalone of Yubico.
The report recommends that agencies run pilots for new-to-them authenticators and make sure processes including credential revocation and access control are effective.
Digital ID risk-assessments, or DIRAs, also have to be implemented as repeatable ways to judge anti-phishing procedures for multiple resources in various contexts.
Clancy said the DIRA process is especially important when implementation runs aground on cultural barriers.
Clancy said staff may push false choices, like that PIV cards and passwords are the only options. A risk assessment will provide a more objective, open-ended view of alternatives.
Indeed, he said that “in some agencies, there is a reluctant to approve alternatives.” That could be “contributing to a reliance on waivers or unsafe authentication” like passwords.