ISMG Editors: Identity Security SpecialTackling MFA Fatigue Attacks; GSA Missteps; Next Steps for Digital Identity Bill Anna Delaney (annamadeline) • April 7, 2023
In the latest weekly update, Venable's Jeremy Grant joins Information Security Media Group editors to discuss how to defend against the increasing use of MFA fatigue attacks, takeaways from a recent U.S. probe into compliance issues related to Login.gov services and the latest updates on the Improving Digital Identity Act.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; ISMG contributor Jeremy Grant, managing director, technology business strategy, Venable LLP; and Tom Field, senior vice president, editorial - discuss:
- The growing risk of MFA fatigue attacks and how to combat them;
- How the U.S. General Services Administration misled customers about Login.gov's compliance with digital identity standards;
- The next steps in Congress on passage of the Improving Digital Identity Act, which would establish a governmentwide effort to develop secure identity verification methods for governmental agencies.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the March 24 edition discussing what's next in Russia's cyberwar and the April 3 edition discussing the fate of TikTok amid the overwhelming concerns of U.S. lawmakers.
Anna Delaney: Hello and welcome to this special identity security edition of the ISMG Editors' Panel. I'm Anna Delaney, and this week joining us to discuss identity and access management trends and solution and much more is our great friend, the distinguished Jeremy Grant, managing director - technology business strategy at Venable LLP. The band also includes Tom Field, senior vice president of editorial and Mathew Schwartz, executive editor of DataBreachToday and Europe. Very good to see you all. Jeremy, welcome back.
Jeremy Grant: Good to be here.
Tom Field: Jeremy, pleasure to see you today. We've talked a lot over the past three years and as we come into the spring of 2023, it's a good time for reflection. So I'm going to ask you, after three years plus of digital transformation, how would you say all of this has changed the way business and security leaders view identity today both as a strength and as a vulnerability?
Grant: Three years ago, just for reminder for everybody was when we were just starting our lockdown for COVID. And so I think when we talk about three years of digital transformation, a lot of it is - for purposes of level setting - was forced "holy crap, we've got to hurry something out quickly" digital transformation, as opposed to the kind of, "hey, let's come up with a multi-year plan and put something in place." And so I'd say with that, the results are mixed. I think for some companies who have embraced identity and perhaps even doubled down on it and gone back to some of the things they raised that a few years ago and made some firmer investments, identity is definitely strength, they feel comfortable about their security, they're not necessarily particularly worried about identity-centric attacks on their systems, for the simple reason that they've closed off a lot of the most commonly exploited vulnerabilities, to the extent that they have good identity and access management systems, for the customer-facing websites. They're able to put more high value, high risk applications online for them in a way that might be hard if you didn't have that sort of infrastructure. From a vulnerability perspective, I think, the sad thing there is we're not seeing that many organizations who have done this, and so we're still seeing year after year people taking advantage of the same - what I would call two or three deficiencies in digital identity infrastructure to steal lots of money and data. And so they were continuing on a monthly basis, there's another breach, and it's like, "oh, well, I think I've read about this one before," because the same bad actors or their cousins or nephews or whatever, who are basically using the same attack vectors to get in. And, I think, we have a pretty good idea around how these things happen and why they're happening, but not necessarily seeing a lot of urgency in terms of trying to put solutions in place that can stop them.
Field: That's well said. For follow-up question, we turn to Matt.
Mathew Schwartz: Great to see you again, thanks for being here. I appreciate your identity insights. And one of the things I've been following recently is the Improving Digital Identity Act in the U.S., which I believe recently advanced out of committee, and is going to be going to the Senate for full consideration. And the legislation is aiming to establish a government-wide effort to develop secure methods for government agencies to be dealing with identity. So talk us through this, if you will, what would this bill be doing that isn't already being done?
Grant: I think the big issue around the improving digital identity act is focusing on how we can bring digital identity infrastructure to consumers. And so to the extent that it's looking to coordinate an effort around different government agencies, what it's looking at, at its core, is the fact that, we talked before with Tom about three years of digital transformation. Let's expand it to, say 30. Going back to the early 90s, when we first started going online, I often talk about, there was a famous cartoon that was published, and it'll be 30 years in July, where the two dogs are on the internet. And one dog turns to the other and says, "On the internet, nobody knows you're a dog." And we're still dealing with that problem today. In fact, it's gotten a lot worse than it was 30 years ago, when the cartoon was published. I've also pointed out those dogs are sadly a blessing memory because of dog years. But the problem is still with us. A big issue that we're dealing with, and I think , that this legislation is looking to deal with is that at least in the U.S., we don't have a national ID, but we do have a number of what I would call nationally-recognized authoritative digital identity systems - be it the birth certificate I got from the county I was born in, the driver's license I get from the state that I live in now, or things like my passport, and my social security number that I get from the federal government. So federal, state and local, all issuing nationally-recognized authoritative documents, all of them stuck in the paper and plastic world. And so when we talked before about all of the bad things that keep happening with identity-centric attacks, particularly when it comes to stealing consumer information, one of the challenges that we have is that as we look to put more and more things online, we have this identity gap between these legacy things that are stuck in the paper and plastic world, and what we have in the digital, what we need in the digital, I should say. And so at the core of the Improving Digital Identity Act is directing the White House to pull together key issuers from the federal, state and local level along with private sector stakeholders, and privacy and civil liberty advocates and others that you want at the table to try and figure out a coordinated approach for how you close that gap. So that people could have digital counterparts to the documents that they have that work in the paper or plastic world but do not work in digital.
Schwartz: Great stuff. Thank you, Jeremy. Going to hand over to Anna, tag team.
Delaney: Thank you so much. So on this program, we often talk about the state of passwordless security and often have positive discussions about the progress towards a password-free future. However, I often talk with CISOs, who still think this is a fantasy scenario. And I'm sure you're aware that in the EU, the use of biometrics is still challenged, has its doubters. So I'm wondering, what it's going to take to turn this around. We recall that last year, Google Apple and Microsoft adopted FIDO, of course, but we haven't heard much since. So what gears do these companies still have a lot of work to do?
Grant: I'm very bullish these days in the ability to go passwordless. And so this picture I mentioned I was in Taipei was for FIDO's winter plenary. And I will say the progress that I was hearing there from members, as well as a lot of their customers in terms of the ability to build a passwordless, I think, as this year goes on, you're going to see more and more companies, particularly in the consumer space, replacing passwords with passkeys, the idea of a multi-device credential that could essentially be synced across different devices. You're already seeing a number of big consumer brands. Pay Pal has probably been the most notable, who have already started to launch it. And so the idea that you default for consumer applications is going to be that you're going to need to ask them to create a password. The first time they sign up for service, I think is going to go away. Now, these things take time. I think, part of what we saw in 2022 was an announcement from the big tech platforms to all embrace this concept of multi-device passkeys. There was a little bit of a gap between first their announcement of their intent to support it, versus then rolling out support for newer platforms that has largely happened right now, particularly in Apple and Google platforms and Microsoft's got a lot in the works as well. So, it is happening and you're starting to see things roll out on the enterprise side. It's a little bit different just in that the requirements might be a little different. Sometimes the regulatory requirements also vary between countries. But I'm seeing a lot of folks who are being able to go truly passwordless, say embracing things like FIDO security keys, which can be rolled out with or without biometrics. And as you mentioned, biometrics, we have this in the U.S. as well. It presents some issues, if you're creating and storing central repositories of biometrics, the FIDO model is all leveraging match on device, which is good for privacy, good for regulatory compliance, in that there isn't any risk of some big biometric database being compromised, or people reverse engineering things. It's all just stored securely on your device. And then you can use that to then unlock a cryptographic key. So we're not there yet. And one thing I've seen for my years in this space, is there's a gap between the announcement of a new standard, and then when it gets adopted. So I think it'll take some time. But the flip side is, if I'm Cisco, who's interested in going passwordless, here's some options that are out there right now that we're not there a year ago, and I would suggest that people do a deep dive, look at what's happening over the last 912 months, and take advantage of some of these new tools that are now out there and widely supported in, particularly people's consumer devices.
Field: I want to talk to you about MFA fatigue. It's a term that arose in 2022. We heard consistently these days, and it's a legitimate concern. But my question for you is how do we counter the narrative, which might suggest that MFA is a bad thing? I don't think that's the intent. But it could be interpreted that way.
Grant: No, I think the big message is all MFA is not the same. And it's a little frustrating, because it seems like right around the time that we got most people to understand the importance of MFA, we saw a shift in the kinds of attacks we were seeing where some legacy MFA types, be then based on one-time passcodes, or based on push notifications, suddenly became susceptible to phishing attacks. And so the idea of it can all be compromised, so don't bother. That's a dumb idea. One, in that even the most basic MFA is still going to block over 99% of attacks. The real issue comes down to if you're going to have a very determined attacker who's trying to target you, well, then if they can phish, you look just like they can phish you in a way that you can get you to hand over your 12 or 14 character password, they can fit a one-time passcode, or as we've seen with MFA fatigue attacks, if it's based on a push notification, they can potentially trick you into pushing approve, and then somebody's owned you on the backend. The good news is, don't use that MFA. Going back before to what we were talking about with passkeys and FIDO, FIDO, can't be phished. So there's no, there's no shared secret on either end, or there's nothing that you're going to do to trick somebody. It's basically whether using a security key or an embedded authenticator that's built into the platform, it's using asymmetric public key cryptography. So this is why we've seen the White House and CISA, and in the in the over in Europe, the Netherlands, the NCSC - Netherlands Cybersecurity Center - or a lot of other governments across the globe have been flagging this for several years, which is that MFA can be compromised. So make sure you're using an MFA that can stand up the phishing attacks. To me, it's a pretty straightforward solution. There's a great set of case studies that's out there from Cloudflare, who - last summer MFA fatigue attacks were coming around - basically came up with a blog that, I may get this slightly wrong so if anybody from Cloudflare is watching, please don't get too upset, but the basic gist of it was, "hey, that same attack that was victimizing a lot of other companies, hit us as well." And our folks got tricked into clicking on a link. But because we were using FIDO security keys, the attack died right there. They couldn't get in. So the technology is there, we know how to stop it. And it's I would say a little frustrating to have people keep throwing their hands up and saying, well, now MFA can be compromised, what are we supposed to do when there's a lot of clear evidence that's out there, that suggests what kind of authentication you should be using that can stand up to those attacks. And increasingly, we're seeing regulators point to this as well. I mentioned the White House, their zero trust strategy that covers government sites. But if you're a financial services firm, the CFPB - the Consumer Financial Protection Bureau - put out guidance last September that said, you should be using phishing resistant MFA and they pointed to the FIDO standards. You look at the recent Drizly settlement from the Federal Trade Commission where they had a pretty consequential breach. One of the things that was put into their agreement, their settlement that they put in place was that they should be using phishing-resistant MFA, which I'll say is sitting in a law firm, where we're often advising companies on how to avoid getting in trouble with the FTC. That's a great settlement to point to. Don't be like those guys, if you do this and something happens. Well, one, it probably won't happen, the bad thing, but if it does, you can at least say to the regulators, you were using the best stuff out there. So I feel like the tools are out there right now. But there's definitely a lot of confusion in the market still around, back to that point I made before, a new standard emerges. It's great, but there's a lag in adoption between when it emerges and when we get it used more ubiquitously, but we can definitely stop MFA fatigue attacks.
Field: Excellent insight. Thank you, Jeremy.
Schwartz: As a reporter, one of the things I've been tracking is the questionable, if you will, activity with login.gov. So very briefly, on March 29, the U.S. General Service Administration's inspector general appeared before a House Subcommittee to detail how GSA "misled customers on login.gov is compliance with digital identity standards," according the IG's report that came out last month. So the IG alleges GSA was billing its customers, as in U.S. government agencies for multifactor authentication login platform standards, as required by NIST, but which were failing to meet the NIST requirements. What's your take on this? Is this a cultural issue? Are there broader, more cautionary takeaways? You were talking about MFA getting a bad rap. It seems like somebody else is getting a bad rap here too, about the quality of identity being provided?
Grant: It was a pretty depressing report to read, the Inspector General's report that came out a couple of weeks before, and the hearing that you mentioned last week was the House Oversight Committee, which is not necessarily known as the place where there's like a lot of bipartisan cooperation. But this was a very bipartisan hearing in terms of Democrats and Republicans, all basically outraged about what had happened. To dive into it, login.gov is a system that the U.S. General Services Administration has been building. They must have started close to 10 years ago, 2013/2014 onward. And talking about MFA versus identity proofing just a level set, what login.gov has been, is a single sign-on, and account management and authentication service. So the idea being that, as an American, I can go to four or five government websites, sign-in with the same username and password. And then there's an MFA layer on top of it. In fact, login.gov was one of the very first consumer facing sites to implement FIDO. So, their MFA components are pretty sound. Where they got in trouble is on the account creation process. I'm not worried about authentication, how do I log back in, but for those applications, where it's pretty important to prove I'm Jeremy Grant, and in particular, Jeremy Grant, identity proofing is important. And so there, the standard that agencies have been expected to meet for quite some time is identity assurance level two is defined by NIST and their digital identity guidelines. So where GSA got in trouble is they never had a solution for identity proofing that met this identity assurance level 2 (IAL2). Further, they decided somewhere on the path to getting to be IAL2 compliant, but they weren't going to bother because they weren't comfortable with the use of the biometrics when they're used in the context of a one to one selfie match where you'd like to take a picture of your driver's license, and then take a selfie on the phone that would match to that. But they didn't tell anybody. They didn't tell the agencies. They kept telling the agencies they were complying with IAL2. This went on for about a year. Agencies were paying for it. And then when it was discovered, as you might imagine, some things kind of hit the fan. Now GSA to its credit, when they discovered this went to the inspector general in their agency and said, something happened here, we think you need to dive into this, this report details would happen. Some people lost their jobs out of it. It was not a very happy ending. There's a new team there now that is hopefully in a position to do a little bit better. But yeah, a lot of what we heard in the hearing last week was a lot of frustration with the agency but the whole idea of having the government develop this as a shared service is so that you have a single platform that agencies can trust and if agencies can't trust it, then there's some broader issues there.
Schwartz: Fantastic. It'll be an interesting story to follow. Hopefully, they're going to get everything sorted out sooner than later because we need it. Thank you, Jeremy.
Grant: I will say, tying back to your original question about the Improving Digital Identity Act. I've done an OpEd on this a few weeks ago. There's a bigger question around, is the GSA even in a position to be able to do identity proofing at scale for millions of Americans. They're not an agency that is in the identity business, at least when it comes to trying to figure out who's who. And back to the point I made of driver's license bureau, state vital records bureau, passport, social security numbers, we have nationally recognized authoritative identity systems that are out there today. The best way, from my perspective to help an agency like GSA or any other federal agency know who's who online, is to come up with those digital counterparts to those authoritative systems, rather than try and build some new system that essentially creates, I guess, what I would call the digital equivalent of the DMV for people to go through again. So I already went through a crappy process at the DMV, a few years ago. I'd like to reuse that rather than have to go through a new version of that at the GSA, just so I can engage in something involving a federal service. That's a way to, I think, get to not only better security, but also streamline the user experience so that I don't have to spend 15 or 20 minutes proving who I am. So from my perspective, the approach would have been Improving Digital Identity Act of moving through Congress is pushing would help solve this problem for GSA. So they don't have to build their own system. They can just leverage other tools that are out there that tie back to authoritative sources already.
Schwartz: Not rebuilding things from scratch, maintaining usability. I know usability is a big question that Anna has, as well.
Delaney: Definitely. I'm glad MFA fatigue attacks have been raised. Because this is my next topic. I recently moderated a roundtable on that very topic, tackling MFA fatigue attacks. And it became abundantly clear early on in the conversation that most of the organizations still have a lot of work to do, when it comes to deploying MFA where it's needed. Somebody said, well, this is a bit of a luxury even talking about MFA fatigue attacks. So what's your advice to help companies get to a place where MFA is deployed everywhere they want it to be?
Grant: I think, part of it is, break down where your risks are, and break down the different use cases and the populations of people and focus on those that are highest priority. So look, I see a lot of organizations where they're starting with something like FIDO security keys for privileged users. And where to lock down remote access. So the places where things could most likely go wrong, and where there's potentially the most consequences, and then, from there look to roll things out, to other users, to the extent that you can, but you don't basically need to tackle everything all at once. You can break things into parts. So, to be clear, this is where I get excited about passwordless with things like FIDO standards is we can deliver something that is not only much more secure, but also has a much better user experience. Nobody's going to yell at you, if you eliminate passwords from your organization. In fact, they'll probably carry you around on their shoulders and yell hurrah, hurrah, because that's a great thing that you can do. And I think there's certainly some good stories that are out there around how they've eliminated passwords, and it turns out that people are much happier with the IT department. But look, you can't necessarily focus on every user right away. There's always going to be, what I would call edge cases, corner cases, where something that you want to roll out for most people might not work. So I love my YubiKey and I'll carry it with me till the day I die, or who knows how long that will be. But there may be other solutions that work for other people as well. I think the most important thing is at least be able to lock down those highest risk accounts and highest risk use cases and instead of what to push other solutions out from there.
Delaney: Very good. This has been insightful as always educational. Jeremy, thank you so much. Just one more question. I know Jeremy that you're a bit of a song lyrics buff, so this shouldn't be too tricky for you. If I were to ask you to write a song on the theme of identity security, what would the title of that song be?
Field: Your Song by Elton John.
Delaney: Elton was a bit of a threat in the house.
Schwartz: I was thinking like, do we go with an established tune like, Don't Go Breaking My Heart. Or do we have something that we go with giant kittens with laser just shooting out of their head like two-factor reactor. I can see that being a real disco hit. But I thought I'd go with something a little more R&B, something a little more contemplative. Since YOU Authenticated.
Delaney: That's good. Very impressed. Jeremy?
Grant: I'm not singing but I was thinking if I was writing a song about the state of identity security would be called Why Do the Same Dumb Things Keep Happening to Me?
Schwartz: I am sure, there's a pickup truck and a dog in that one.
Grant: And a bottle of whiskey. But I do feel like when it comes to identity security, we have joke about this, because this is where I spend a lot of my job, or a lot of my career, I'd love to solve this stuff. It is the same dumb stuff happening year after year. Most of it tied to things like compromised passwords, and people aren't implementing MFA or the right kind of MFA. And, like, we know what the attackers are doing. We know how to solve this. And yet, we're singing this same sad song year after year. Most of the time you see these attacks, and the company comes out and goes, "oh, was a very sophisticated attack using cutting-edge techniques from a hostile nation state." And I'm like, well, that sounds defensible. How could you protect against that? And then it's like, "oh, yeah, we had a compromised password." And then they came in and escalated privilege. And I'm like, I've only seen that in about 300 incidences over the last 10 years. So why do the same dumb things keep happening to me? It would be nice if we solve this, and I could go do something else with the back half of my career. But I'll always still be happy to come and hang out with the ISMG crew to talk about this.
Delaney: I was going to say Always on My Mind, because this stuff is always on our minds. Jeremy, this has been a real pleasure for all of us. Thank you so much for joining the ISMG Editors' Panel.
Grant: Thank you. Appreciate it.
Schwartz: Thank you.
Delaney: Thank you so much for watching. Until next time.