Image: Walter Bibikow
The White House has an ambitious plan to greatly reduce the risk of phishing to the U.S. government. Part of that is having agencies phase out the use of SMS and app-based multi-factor authentication, and replace them with phishing-resistant methods such as hardware security keys.The move will be a significant task for the federal government, an Office of Management and Budget (OMB) official told Motherboard in a phone call. The OMB is part of the White House, and its phishing mitigations are part of a broader push from the OMB toward "zero trust" architectures, in which organizations protect themselves by not trusting any particular system, network, or service. Instead, zero trust systems verify any system, or person, trying to access the system. Fundamentally, you can't carry out those sort of measures if you don't already have strong confidence that the person logging into a government website or service is who they say they are, the official said. Hence the need for more protection against phishing.
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
The OMB official explained that the type of phishing the organization is particularly worried about is automated, cheap, and scalable attacks. That is, services that can convincingly spoof real government websites and which can also harvest multi-factor authentication tokens from a victim. Those include one-time codes sent over text message, in an email, or which are displayed in an app, the official said.
All of these types of multi-factor authentication tokens can be phished or otherwise hijacked in some form. SIM swapping, where a hacker may trick or bribe a telecom employee into redirecting a victim's text messages to the hacker's own phone, is often the technique used to grab someone's password or login token. A phishing site can also request a user's code generated by apps such as Google Authenticator. More recently, some underground services have offered automated phone calls to victims that ask them to provide their one time passcodes too. The OMB official said that multi-factor authentication systems that rely on push notifications can also be phished, because the malicious site can trigger those pop-ups to appear and ask the victim to approve the login attempt.
Do you work in a government agency on cybersecurity? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
What can't be phished, however, are things such as hardware security keys. The OMB recently published its draft Federal Zero Trust Strategy. That draft does not tell agencies what specific product to use for stronger multi-factor authentication, be that a Yubikey or Google Titan or anything else. Instead, it points to PIV [Personal Identity Verification] cards, as well as WebAuthn, a specification that allows the use of hardware security keys to log into websites. Agencies must enforce phishing-resistant multi-factor authentication at the application level for agency staff, contractors, and partners, the draft reads.It may be daunting to have so many different federal agencies, with so many of their own particular systems and infrastructure, all upgrade their multi-factor authentication mechanisms. The OMB official said the U.S. government does have an advantage here, though: it already uses PIV cards for employees to access buildings and some systems. Protecting against phishing may be, in some ways, extending that same principle to logging into more systems with a USB key. Of course this will involve updating agencies' infrastructure, distributing whatever card or key agencies decide on to individual users, and training everyone to use them too.OMB is also telling agencies to establish single sign-on (SSO) services. This is where rather than logging into a series of different sites one-by-one, a user authenticates with one overarching system, such as Okta, which then handles logins to the different services. Because some of these agencies are large, consolidating different identity systems is better from a security perspective overall by having fewer things to guard well, and can make enforcing multi-factor authentication easier, the official said. SSO is an area where usability and security are well aligned, the official added.As for what happens now, OMB will finalize a new version of the Federal Zero Trust Strategy document, before then working with agencies to implement and oversee the change."Strong authentication is a necessary component of a zero trust architecture, and MFA will be a critical part of the Federal Government’s security baseline," the draft reads.Subscribe to our cybersecurity podcast CYBER, here. Subscribe to our new Twitch channel.