CISA Director Urges Vendors To Adopt Multi-Factor Authentication

Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency (CISA), recently wrote on her blog about how she has been touring the country during Cybersecurity Awareness Month to promote cybersecurity best practices, outline the precautions that everyone can consider taking to maintain safety online, and emphasize the significance of enabling multi-factor authentication (MFA) on email accounts, bank accounts, social media accounts, and any other accounts that contain sensitive information.

When MFA is activated, an account can no longer be accessed with just a username and password. Before access to the account is permitted, an additional component must be submitted. Given the risk of passwords being stolen or guessable, as well as the rise in phishing and brute force attempts, MFA is crucial to data security. Despite MFA’s ability to prevent unauthorized access, its use is not extensive. Many companies provide customers the option to use multi-factor authentication rather than making it the default setting. The CISA Director is of the opinion that companies should require customers to set up multi-factor authentication for their accounts. She notes the auto industry’s campaigns to encourage the use of seatbelts and suggests that companies should implement similar tactics to increase the use of MFA. 

Easterly claims a top provider has reported that approximately a quarter of its enterprise clients have deployed multi-factor authentication, and even more concerning, only one-third of system administrators have MFA enabled on their accounts. The CISA Director clarified that while any type of multi-factor authentication is preferable to none at all, not all types of MFA provide the same degree of security and some are vulnerable to phishing attacks. Recent phishing attempts have been able to get beyond more conventional MFA measures including push notifications, authenticator applications, and one-time codes given to mobile devices. She recommends alternative forms of MFA such as FIDO Alliance’s.  “A group of companies formed the FIDO Alliance to create a phishing-resistant form of MFA,” said Easterly. “They’ve been able to bake FIDO protocols into the operating systems, browsers, phones, and tablets that you already own. And FIDO is supported on dozens of online services. Organizations large and small are starting pilots and even completing their rollout to all staff.”