On October 4, 2023, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) published Identity and Access Management: Developer and Vendor Challenges, an advisory document developed by the Enduring Security Framework (ESF). The ESF is a CISA and NSA led cross-sector, public-private working group that works to address risks to U.S. National Security Systems and threats to critical infrastructure. This latest publication follows the ESF’s advisory on Identify and Access Management: Recommended Best Practices for Administrators, released earlier this year.
The guidance identifies technological gaps preventing effective implementation of Multi-Factor Authentication (MFA) and Single Sign-On (SSO) technologies. Both MFA and SSO can provide increased security when properly constructed and integrated; MFA technologies can significantly strengthen the authentication process while SSO can “raise the authentication assurance level required for initial sign on” and secure authorization information between systems. When improperly deployed, however, both technologies leave gaps that opportunistic threat actors can exploit.
The ESF identifies technical gaps and implementation challenges for both MFA and SSO technologies and provides recommendations to vendors and integrators seeking to close those gaps and develop new tools to address those challenges.
The publication identifies three types of challenges in MFA implementation: definitional and policy challenges in the vendor community, deployment and adoption challenges, and sustainment and governance challenges. It also suggests various solutions for vendors including:
· Creating standardized MFA terminology that provides clear, interoperable, and standardized definitions and policies.
· Mapping products to NIST requirements such as those articulated in NIST SP 800- 63.
· Implementation of phishing-resistant MFA technology based on public key infrastructure or FIDO2.
· Additional vendor investment in supporting high assurance MFA implementations for enterprise use on both mobile and desktop platforms in a maximally user-friendly flow.
· Offering default, secure, and easy-to-use configurations of MFA systems to consumers.
· Developing and adopting more secure tools to manage enrollment and credential lifecycle management.
· Developing tools for automatically discovering and purging enrollment MFA authenticators.
With respect to SSO technologies, the ESF identifies challenges in the areas of complexity and usability, standards improvement, and ecosystem integration. Proposed solutions include:
· Monitoring for insecure implementation of identity federation protocols and education to build awareness of the vulnerabilities inherent to insecure implementation.
· Implementing phishing-resistant MFA for admin-level accounts by default.
· Development of and support for broad, industry-wide standards in the enterprise ecosystem.
· Developing modules and standards to address integration challenges at the vendor level – as opposed to the organizational level – to close capability gaps.
· Offering SSO capabilities as a stand-alone feature to make them more accessible to small and medium-sized businesses – and including SSOs in all pricing plans.
While the guidance is targeted at vendors, CISA encourages cybersecurity professionals more broadly to review the report and speak to their software vendors about ways to implement its recommendations.