Federal agencies and cyber authorities are trying to advance a yearslong effort to modernize and adopt identity and access authentication with phishing-resistant technologies.

Federal officials gathered with industry executives Monday to discuss the benefits and include more commercially available versions of authentication into federal environments. The conversations were guided by an early 2022 mandate for all federal agencies to support and adopt phishing-resistant multifactor authentication before October 2024.

“How we prove who we are online is one of the cornerstones of providing a positive, intuitive and trusted digital experience,” Federal CIO Clare Martorana said at the event, according to a White House readout.

Officials from the National Security Council, the Cybersecurity and Infrastructure Security Agency, the Office of the National Cyber Director and Office of Management and Budget explored how the federal government’s cybersecurity policies can better support modern MFA adoption across government and critical infrastructure.

“You need more than a password to stay safe online — and that’s where MFA steps in to ensure your data is better protected against malicious cyber actors,” CISA Executive Director Brandon Wales said. “CISA has consistently urged organizations to implement MFA for all users to ensure any critical data is harder to access.”

Phishing-resistant versions of MFA are key as threat actors routinely evade MFA that relies on text or email-based one-time passcodes. Phishing-resistant MFA relies on cryptographic techniques such as passkeys, biometrics, the WebAuthn specification and the FIDO2 standard.

The collective push and looming deadline to broaden phishing-resistant MFA adoption underscores the government’s need to play catch up as it reviews newer commercially available versions of the technology.

“The push for MFA within the federal government is not new. However, the adoption and use of MFA by public-sector entities has lagged behind private sector counterparts,” Brandon Pugh, director of cybersecurity and emerging threats at the R Street Institute, said via email.

“MFA is not a full cybersecurity solution, but it is an important and effective element of it. The federal government should learn about and consider best practices and solutions already available in industry spaces,” Pugh said.

Legacy systems remain a hurdle to government agency adoption of newer technologies, but MFA has evolved to include more accessible protocols that meet stringent authentication requirements.

“It’s really those legacy things that will take the most amount of time and those are multiyear projects,” said Chester Wisniewski, field CTO of applied research at Sophos. “Within 12 to 18 months the majority of it should be done, and if it’s not done there should be a lot of questions asked.”

The good news, according to Wisniewski: “The MFA that the government's mandating is almost 100% phish proof because you can't just be tricked into surrendering something.”

The bad news is, while this solves the phishing problem, it does not solve the identity problem entirely because cookies can still be stolen for web apps, Wisniewski said. 

Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger closed out the event calling MFA a personal priority.

“If there are barriers that government policies are placing on your ability for customers to adopt MFA and securely do business, we want to know about those,” Neuberger said. “It’s clearly critical to protecting sensitive data and it’s our collective responsibility.”