CISA Encourages Orgs To Go Further Than MFA, Adopt FIDO Authentication

Enabling multi-factor authentication (MFA) is “the single most important thing Americans can do to stay safe online,” Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly wrote in a CISA blog post.

But Easterly encouraged businesses and technology vendors in particular to go one step further and ensure that FIDO authentication is part of their MFA implementation plans.

“We’ve known for years that any form of MFA is better than no MFA. That’s still true, but we’ve also known that at some point ‘traditional MFA’ would become ‘legacy MFA’ and need to be reassessed or even replaced,” Easterly wrote.

“Luckily a group of companies formed the FIDO Alliance to create a phishing-resistant form of MFA.”

According to its website, the FIDO Alliance is an open industry association united by the goal of reducing “the world’s over-reliance on passwords.”

The FIDO Alliance has globally available technical specifications and industry certification programs that make authentication simpler and more secure.

“At CISA, we talk often about resilience. We have to accept that even with all the planning and exercising to keep our systems, data, and infrastructure safe, it is still true that bad things will happen, like an employee in your organization falling for a phishing email,” Easterly continued.

“The reason FIDO is so valuable is because even when this happens, the attack will still fail.”

The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) found that phishing was the most frequently reported cybercrime of 2021. Phishing and social engineering are extremely prevalent in healthcare. MFA is crucial to helping healthcare organizations improve their security postures. 

Easterly called FIDO the “gold standard” for MFA and urged business leaders to use FIDO to enhance their enterprise security efforts.

In addition, Easterly called on technology vendors to promote the visibility of MFA statistics.

“A few services have helpfully published data, but most have not, and that lack of visibility is hurting our collective ability to truly tackle the challenges that will allow us to raise the cybersecurity baseline for the nation,” the blog post continued.

Easterly urged technology vendors to embrace transparency for MFA statistics, nudge end-users and system administrators to use and implement MFA, and ensure that there are no cost barriers to adopting MFA.

“The bottom line is that we need to all get in the game and work this issue together.  By tackling the MFA challenge from different angles, we can significantly improve online security—and by extension our business, personal and even national security,” Easterly concluded.