CISA and NSA Offer MFA and SSO Guidelines for Developers, Vendors – Source: securityboulevard.com

Developers and tech vendors need to improve multifactor authentication (MFA) and single sign-on (SSO) tools and make them easier for organizations to use to reduce the threat of phishing, password spraying, and similar cyberattacks, according to the nation’s largest cybersecurity agencies.

The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) this week rolled out a report outlining the challenges developers and vendors face with gaps in the technology’s that hinder adoption of MFA and SSO, authentication technologies that right now represent the best chance for enterprises to thwart a range of attacks at a time when threat actors are increasingly targeting credentials as avenues into targeted systems.

“The increase of multi-computer use has led to vulnerabilities in access management and identity verification, meaning risk for computer systems and information – one of the most critical resources for any organization,” the NSA wrote. “Cyber criminals are continuing to refine methods and approaches as the cyber landscape evolves. A significant portion of breaches occur from misusing or manipulating digital identities, including stolen credentials and phishing, or by exploiting vulnerabilities.”

The report released this week – Identity and Access Management: Developer and Vendor Challenges [PDF] – comes six months after the agencies rolled out best practices for identity and access management (IAM) administrators.

A Booming MFA Market

The MFA market is expected to continue its rapid growth in the coming years, jumping from $16.4 billion this year to $26.7 billion in 2027. Amazon Web Services this week said that in 2024 it will expand MFA requirements for some users, starting with root users of AWS Organizations management accounts.

“We will expand this program throughout 2024 to additional scenarios such as standalone accounts (those outside an organization in AWS Organizations) as we release features that make MFA even easier to adopt and manage at scale,” Steve Schmidt, Amazon’s chief security officer, wrote in a blog post.

That said, hackers are finding more ways to bypass MFA and other advanced authentication methods. Techniques include compromising passwords and leveraging default credentials, account takeovers, creating new accounts, and hacking into storage systems to grab credentials.

Some high-profile hacks, such as the ones last year against Uber and Microsoft, were the result of MFA fatigue, where a bad actor gets ahold of a person’s credentials and then repeatedly tries to log into their account, triggering the two-factor login approval request. The victim will continue to deny the request and block access, but sometimes will wear down and accept an alert, letting the attacker in.

Challenges with IAM

In their guidance, CISA and NSA note several issues that make adoption difficult particularly for larger organizations, though they touch on challenges for SMBs. A problem for organizations large and small is that deploying MFA is “notoriously difficult,” the report’s authors wrote.

The problems include confusing definitions and unclear policies for different versions of MFA, so interoperability and standardization among the variants would enable organizations to weigh their options.

“This starts with basic steps such as using common terminology; terms like ‘2-step verification,’ ‘two-factor authentication,’ and ‘multi-factor authentication’ are all widely used to describe similar capabilities,” they wrote.

Vendors also need to make it easier for organizations to determine the security properties of these options, compatibility with their IT environments, and support the strongest forms of MFA, including those based on PKI and FIDO2 standards.

Tech vendors also need to develop better enrollment tools for complex enterprise environments for managing actions when employees join and leave the organization and for finding and purging MFA accounts that haven’t been used or are exhibiting unexpected behaviors.

For SSOs, adoption challenges include the tradeoff between functionality and complexity, architectures that make it difficult to integrate open standards-based SSO with legacy applications, and the fact that SSO features often are bundled with other high-end enterprise features, making them inaccessible to smaller organizations.

Vendors can address the last problem by including SSOs in any pricing plan regardless of the organization’s size.