The Password-less Journey Roadmap for Federal Government

It’s often said that technology deployments for federal agencies are a different animal. In fact, usually, that is not the case. Government agencies have the same needs, the same use cases and the same security concerns as any other entity with users and data to protect. But… the exception always proves the rule. While the rest of the world has been living with the consequences of living a password life,

we folk in the public sector solved that problem way back in 2004

…. sorta.

Credential threats came early to the federal government. Long before the current state of affairs with regards to phishing were “mainstream”, the federal government recognized the risks associated with relying solely on a password for data protection. In 2004, HSPD12 was born and the whole of government moved (or attempted to move) to a password-less authentication scheme by leveraging the best technology available at the time, Public Key Infrastructure (PKI). PKI, coupled with a smartcard as the user’s tool (and the certificate’s delivery method) became the standard. It was a noble pursuit and PKI was the best thing, at the time, to deliver this capability and make this actually come to pass.

Fast forward 16 years and the government is still using smartcards and still struggling to use them.

PKI, it turned out, was really, really expensive to deploy and even more expensive to maintain but yet the government continues to shovel money into this insatiable hole. The smartcard form factor, and its “plumbing” also hasn’t aged well. 

It has been super hard to get these things to work with mobile devices (nearly every access device is now mobile) and cloud-based applications (cloud adoption has grown and continues to accelerate). As we look to offload some of the IT weight to the identity owners (federation), we’ve discovered that federating PKI is brittle and monumentally expensive.

Thankfully technology never stands still.

While the government has struggled with their passwordless journey over the last 16 years, the commercial world, struggling under the constant barrage of credential breach after credential breach and after relying for years on the password as the only thing standing between an attacker and their data, finally cried uncle. From this pain, WebAuthn among many authenticators, was born.

What is Web Authentication?

For those who don’t know, WebAuthn is an open standard that takes human focused authentication to the next level. Still leveraging the PKI we know and love but it does it in a “behind the scenes”, transparent way. It works more like TLS/SSL than the standard PKI we’ve been using in public sector for the past 15 years. This means it has all the strengths of the strong authentication we’ve been working towards without the residual side effect of poor user experience. This includes not only usage but also excludes the painful current experience of on-boarding and off-boarding users from an authentication system.

For those of us who pay attention to what NIST is doing/thinking, it’s encouraging that they have started putting out the feelers on SP-800-63-4. If you remember, 800-63-3was a bridge to modern authentication with references and guidance on technologies such as FIDO and U2F. WebAuthn (part of FIDO2) is the next step in that journey and I for one will be looking for NIST to help move us closer to realizing this dream within a dream.

Duo Security is “all in” on WebAuthn and is also helping agencies map out a path to get to this next plateau of enlightenment of authentication. We’ve published quite a few resources to help on this journey, including some well written thoughts from my Advisory CISO co-conspirators Dave Lewis and Wolfgang Goerlich.

Recommended Reading

What is WebAuthn?

What does WebAuthn look like?

So you like what you see? How do I do the WebAuthn dance?

Now, what are all of the questions you didn’t know you needed to ask?

As you can see we’re all super passionate about finally killing the password. 

Previous
Previous

Letting The Right One In: A Preamble to Device Trust

Next
Next

My organization has been breached! Now what?