CISA-NSA report surfaces MFA-SSO challenges

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) are jointly calling for more organizations to implement multifactor authentication (MFA) and single sign-on (SSO) capabilities to improve cybersecurity despite all the known challenges.

An Identity and Access Management: Developer and Vendor Challenges report published by an Enduring Security Framework (ESF) panel created by CISA and NSA notes MFA is one of the most important tools any organization has at its disposal, but there are multiple issues that tend to limit adoption, including how notoriously difficult it is to implement.

Issues include confusing definitions and unclear policy controls spanning different variations of MFA. There is a need for clarity, interoperability, and standardization to enable organizations to make comparisons and integrate different solutions based on requirements. In the absence of that transparency, too many organizations opt for MFA solutions based on, for example. short messaging services (SMS) without fully appreciating differences between MFA options, the report notes.

It is incumbent upon the identity access management (IAM) vendor community to work together to agree on terminology to reduce confusion, the report adds.

Other issues include a lack of clarity regarding the security properties that certain MFA implementations provide. All forms of MFA provide some protection against password reuse and compromise but have differing levels of security for how secret keys are stored and their overall resistance to phishing attacks.

Finally, MFA solutions provide varying levels of support for public key infrastructure (PKI) and Fast Identity Online (FIDO) 2 standards. Most IAM vendors offering SSO platforms support both PKI and FIDO2 authentication, but not all, and it may be incomplete. For example, PKI may not be treated as a “multifactor” authenticator within the authentication policy because it is an authenticator that provides multiple “factors” due to the way its cryptographic keys are unlocked. Similarly, restrictions may exist on the types of FIDO2 authenticators that can be registered and the ability to define policy based on attestation may be lacking.

Support on different client platforms is also inconsistent and credential lifecycle management is often lacking, the panel warns.

On the SSO front, the report notes ease of use challenges also apply to configuring services from SSO providers that would be improved via more robust standards. Tooling for understanding trust relationships and the impact changes in the configuration might have could also be improved. In addition, identity federation protocols, such as the secure access markup language (SAML), support a variety of different configuration profiles that are known to be less secure than others.

There’s no doubt that MFA and SSO will significantly improve the overall state of cybersecurity but given the current level of maturity, most organizations would be well-advised to make sure that they have a cybersecurity strategy that is based on defense-in-depth. Cybercriminals, after all, are becoming more adept at “living off the land” after they steal credentials. It might not be months before anyone realizes cybercriminals have found a way to circumvent MFA.

The implementation of Multi-Factor Authentication (MFA) and Single Sign-On (SSO) can be complex. Unfortunately, the absence of MFA and SSO leaves the door open for usernames and passwords to be stolen and sold or shared among criminals.