In a recent blog post, Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) explained that for Cybersecurity Awareness Month she has been traveling the country promoting cybersecurity best practices, explaining the steps that everyone can take to stay safe online, and stressing the importance of enabling multi-factor authentication on email accounts, bank accounts, social media accounts, and any other accounts that contain sensitive data. “Enabling multi-factor authentication is the single most important thing Americans can do to stay safe online,” said Easterly.
When multi-factor authentication is enabled, a username and password are no longer sufficient to gain access to an account. An additional factor must be provided before access to the account is granted. This security measure is important, as passwords may be guessed or stolen, and phishing and brute force attacks are increasing. Despite MFA being an important security feature that can prevent unauthorized account access, MFA has still not been widely adopted. Many vendors make multi-factor authentication a consumer choice, rather than making it the default option. Easterly believes vendors should “forcefully nudge” consumers into configuring multi-factor authentication for their accounts.
Easterly suggests vendors should take note of the auto industry campaigns in the late 20th century that encouraged drivers to wear seatbelts and apply similar tactics to increase the adoption of MFA – which she says is the “seatbelt of the information highway.” Vendors should also build MFA into their products at the design stage, rather than MFA being an aftermarket add-on, and ensure that they provide their users with a complete MFA feature set. She also suggests vendors should publish MFA uptake numbers, especially for high-privilege accounts.
In her blog post, Easterly explained that one top vendor has reported that only around one-quarter of its enterprise customers have implemented multi-factor authentication, and more worryingly, only one-third of system administrators have MFA enabled on their accounts. “We can’t improve what we don’t measure,” said Easterly. “Simply put, we need better visibility into MFA adoption.”
Easterly explained that any form of multi-factor authentication is better than no multi-factor authentication; however, not all forms of MFA provide the same level of protection, and some forms of MFA are not resistant to phishing attacks. Recently phishing campaigns have been conducted that are able to bypass traditional forms of MFA such as one-time codes sent to cell phones, push notifications, and authenticator apps. Attacks that are capable of bypassing traditional MFA protections are only likely to increase.
Fortunately, there are alternative forms of MFA that provide far greater protection. “A group of companies formed the FIDO Alliance to create a phishing-resistant form of MFA,” said Easterly. “They’ve been able to bake FIDO protocols into the operating systems, browsers, phones, and tablets that you already own. And FIDO is supported on dozens of online services. Organizations large and small are starting pilots and even completing their rollout to all staff.”
Easterly says FIDO MFA is the gold standard and the only widely available phishing-resistant authentication and urges all CEOs to ensure that FIDO authentication is on their organization’s MFA implementation roadmap.
The post CISA Director Encourages All Organizations to Adopt FIDO Authentication appeared first on HIPAA Journal.