The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and industry partners have released a cybersecurity technical report (CTR), “Developer and Vendor Challenges to Identity and Access Management,” to provide developers and vendors of multi-factor authentication (MFA) and single sign-on (SSO) technologies with actionable recommendations to address key challenges in their products.
The report was developed by an NSA and CISA-led working panel through the Enduring Security Framework (ESF), a public-private cross-sector working group that provides cybersecurity guidance addressing high priority threats to the nation’s critical infrastructure.
The co-authors observe that the increase of multi-computer use has led to vulnerabilities in access management and identity verification, meaning risk for computer systems and information – one of the most critical resources for any organization. Cyber criminals are continuing to refine methods and approaches as the cyber landscape evolves. A significant portion of breaches occur from misusing or manipulating digital identities, including stolen credentials and phishing, or by exploiting vulnerabilities.
Following these general observations, the report proceeds in greater detail. User names and passwords are no longer enough to keep systems secure. Sophisticated phishing attacks even have the ability to bypass basic MFA forms, because not all forms of MFA offer the same level of protection. For example, malicious actors can intercept one-time codes in real time and then use them to authenticate identity on systems.
Specifically, the CTR outlines the following challenges:
- Ambiguity with MFA terminology
- Lack of clarity on security properties
- Reliance of MFA on self-enrollment by the user and “one time enrollment code flow”
- Tradeoff between SSO functionality and complexity
- Improvements necessary to standards throughout the identity ecosystem
- Knowledge base for the integration between existing architectures and legacy applications
- SSO capabilities often bundled with high-end enterprise features making them inaccessible to small and medium businesses
The guidance details each of these challenges and provides recommendations for developers, vendors, and security professionals to help better protect their organizations and partners.
