7
Agencies must integrate and enforce MFA across applications involving authenticated
access to Federal systems by agency staff, contractors, and partners.
7
MFA should be integrated at the application layer, such as through an enterprise identity
service as described above, rather than through network authentication (e.g., a virtual private
network).
Approaching an application from a particular network must not be considered any less
risky than approaching it from the public internet. Accomplishing this goal in an enterprise
means progressively de-emphasizing network-level authentication by its users, and eventually
removing it entirely. In mature zero trust deployments, users strongly authenticate into
applications, not into the underlying networks.
MFA will generally protect against some common methods of gaining unauthorized
account access, such as guessing weak passwords or reusing passwords obtained from a data
breach. However, many approaches to multi-factor authentication will not protect against
sophisticated phishing attacks, which can convincingly spoof official applications and involve
dynamic interaction with users. Users can be fooled into providing a one-time code or
responding to a security prompt that grants the attacker account access. These attacks can be
fully automated and operate cheaply at significant scale.
Fortunately, there are phishing-resistant approaches to MFA that can defend against these
attacks. The Federal Government’s Personal Identity Verification (PIV) standard is one such
approach. The World Wide Web Consortium (W3C)’s open “Web Authentication” standard,
8
another effective approach, is supported today by nearly every major consumer device and an
increasing number of popular cloud services.
Agencies must require their users
9
to use a phishing-resistant method to access agency-
hosted accounts. For routine self-service access by agency staff, contractors, and partners,
agency systems must discontinue support for authentication methods that fail to resist phishing,
including protocols that register phone numbers for SMS or voice calls, supply one-time codes,
or receive push notifications.
This requirement for phishing-resistant methods is necessitated by the reality that
enterprise users are among the most valuable targets for phishing. That problem can be mitigated
by providing those users with phishing-resistant tokens, including the PIV cards that agency staff
and partners are generally issued.
7
The term “partners” is meant to include users that are external to the agency, but whose use of agency systems
requires a strong form of MFA. For example, this category could include Government contractors submitting
financial information. Agencies will need to determine the scope of this category based on their own systems and
missions.
8
Web Authentication, also known as WebAuthn, was developed as part of the FIDO Alliance’s FIDO2 standards,
and is now published by the World Wide Web Consortium (W3C) as a free and open standard:
https://www.w3.org/TR/webauthn-2/
9
These users include employees, contractors, and enterprise users, such as a mission or business partners, as
described in OMB Memorandum M-19-17. https://www.whitehouse.gov/wp-content/uploads/2019/05/M-19-17.pdf