Multifactor authentication (MFA) is now mandatory for federal agencies handling and collecting citizens’ personal information.
With advanced persistent threats on the rise — and the Cybersecurity and Infrastructure Security Agency adding single-factor authentication to its list of “bad practices” — MFA is the way forward for organizations to both protect personal data and ensure compliance with regulatory directives.
What does this look like in practice? How are agencies currently using MFA, what advantages does it offer and what’s on the horizon for multifactor frameworks?
According to David Temoshok, senior policy adviser for the Trusted Identities Group at the National Institute of Standards and Technology, the move toward MFA started under President Barack Obama with the National Strategies for Trusted IDs in Cyberspace strategy, developed “to advance the concept of trusted IDs with the public. It emphasized the need for MFA to improve online authentication and protect their accounts to prepare for online and digital services to the public and the government.”
This protective priority was further emphasized by executive order 13681 in 2014. “If the federal government was going to collect and handle personally identifiable information,” says Temoshok, “it needed to be protected through MFA.”
Agencies now use a variety of solutions to enforce MFA policies. For example, the Agriculture Department and the Centers for Medicare and Medicaid Services use Okta for multifactor authentication, the National Institute of Allergy and Infectious Diseases leverages Cisco Duo and the Department of Defense Education Activity is moving to a Microsoft MFA solution in addition to its Common Access Card system for staff.
Click the banner to get access to customized content on cybersecurity by becoming an Insider.