Look, the U.S. federal government doesn’t have a reputation of being dynamic, fresh, and fast-moving. But, in at least one respect, federal chief information security officers (CISOs) and identity architects are ahead of their commercial counterparts: the evolution from identity and access management (IAM)to identity credential and access management (ICAM).
The White House just released a shiny new (and big!) cybersecurity executive order that contains several provisions for authentication and digital identity. If you’re an identity architect or IAM leader, it highlights a couple of key points about the evolution of authentication and ICAM:
- To prioritize investments in the innovative identity technologies and processes of the future and phishing-resistant authentication options, FCEB agencies shall begin using, in pilot deployments or in larger deployments as appropriate, commercial phishing-resistant standards such as WebAuthn, building on the deployments that OMB and CISA have developed and established since the issuance of Executive Order 14028. These pilot deployments shall be used to inform future directions for Federal identity, credentialing, and access management strategies.
- Revise OMB Circular A-130 to… more clearly promote the adoption of evolving cybersecurity best practices across Federal systems, and to include migration to zero trust architectures and implementation of critical elements such as EDR capabilities, encryption, network segmentation, and phishing-resistant multi-factor authentication.
As we all know, “phishing-resistant multifactor authentication (MFA)” uses strong credentials in MFA processes, like FIDO and transport layer security (TLS), as defined by CISA. What may be surprising is how small the percentage of organizations is actually using FIDO or TLS, or hardware tokens in conjunction with these credentials.
A recent article in SC Magazine tells us that while the use of MFA has increased dramatically since the dawn of Covid, the percentage of commercial organizations using phishing-resistant forms of MFA is still shockingly low.
If this data is accurate to any degree, 90% of commercial organizations are still using phishing-prone authentication processes.
In looking at these two data points side-by-side – there is a strong federal government focus on achieving phishing resistance across agencies and organizations, and foot-dragging in the commercial space. It's clear a new paradigm for technology adoption is emerging. In short: federal is leading the way, while commercial will be a laggard.
What Will You Be?
It seems that by the end of 2025 every commercial organization will be one of three things:
- The Tortoise: determined to get their organization to phishing resistance but doing it in a slow and steady pace reflective of their budgets, emergencies, and priorities. The organizations will eventually get there but will need to be reminded (at least every budget cycle if not every day) why phishing-resistance is so important to their overall cybersecurity strategies. Example: An energy and oil global leader who needed 5 months of planning and 5 months of integration for their solution, largely because of the rough physical environments experienced by their 100,00 workers.
- The Hare: organizations that decided some time ago to be phishing resistant for all users in all scenarios, made it a priority, and had rapid progress to that goal. Example: Carmax didn’t waste time. Their enterprise-wide project combined IDEMIA’s PIV-based smart cards with Axiad’s certificate-based authentication (CBA), and a revolutionary shift from “IAM thinking” to “ICAM thinking” focused on scalable hardware and strong digital credentials. You can learn how to do the same in this webinar.
- The Bear: We all know the parable, right? Two guys are running away from a hungry bear and one says, “We can’t outrun a bear!” The other looks over at him and says, “I don’t need to outrun the bear. I only need to outrun you!” Example: every organization who watches as federal government agencies implement phishing-resistant MFA and adversaries shift to weaker targets. Example: anyone still using weak credentials like those described in this 12-minute video.
The good news? You get to pick which of these animals you’ll be.
The even better news? There are ways to get your organization to a phishing-resistant MFA program that:
- Doesn’t require you to rip-and-replace existing IAM tools
- Is platform-agnostic (Love Okta? Keep it! Love EntraID? Keep it! Use both? OK!)
- Are fast to implement, and fast to see results
- Doesn’t break your budget
Download a copy of our blueprint, Future-Proofing Your MFA today to learn how your organization can be better protected from cybersecurity attacks using phishing-resistant MFA.