Credential phishing remains a formidable threat to organizations worldwide, with malicious actors often relying on tricking individuals into voluntarily revealing sensitive login information. Recent years have seen a surge in Multi-Factor Authentication (MFA) bypass attacks, where threat actors exploit weaknesses in outdated MFA methods like SMS codes, authenticator apps, and push notifications. These methods, while better than no MFA, are increasingly vulnerable to modern threats.
Recognizing this vulnerability, the U.S. Department of Agriculture (USDA) has taken significant strides toward safeguarding its workforce against phishing attacks. Partnering with the Cybersecurity and Infrastructure Security Agency (CISA), the USDA has released a case study detailing its deployment of Fast Identity Online (FIDO) authentication for approximately 40,000 staff members. This initiative marks a critical milestone in strengthening phishing-resistant MFA capabilities across the federal government.
The Challenge of Legacy MFA
Legacy MFA methods often fail to prevent determined attackers. Social engineering techniques enable bad actors to manipulate individuals into sharing not just usernames and passwords but also the secondary verification codes or push approvals needed to access accounts. This gap in security necessitates a move toward phishing-resistant MFA solutions.
USDA faced unique challenges that required innovative solutions. With over 130,000 employees, the department’s workforce includes seasonal and lab-based staff who cannot use traditional Personal Identity Verification (PIV) cards. These cards, the federal standard for authentication, are unsuitable for some environments, such as labs requiring decontamination processes that would damage PIV cards.
FIDO: A Secure, Phishing-Resistant Solution
USDA turned to FIDO authentication to address these challenges. Unlike traditional MFA, FIDO leverages cryptographic keys stored on user devices, eliminating the need for passwords and providing robust protection against phishing. Even if an employee inadvertently provides their credentials, the attacker cannot bypass FIDO’s strong cryptographic safeguards.
This transition is part of USDA’s broader strategy to align with the U.S. government’s Zero Trust Cybersecurity Principles. By enabling FIDO authentication through centralized Identity, Credential, and Access Management (ICAM) systems, USDA has created a scalable solution that integrates with Single Sign-On (SSO) platforms and hybrid cloud identity solutions, such as Microsoft Entra ID.
Innovative Use Cases
USDA’s adoption of FIDO has proven particularly effective in two scenarios:
- Seasonal Employees: Previously, seasonal workers without PIV cards relied on user IDs and passwords, a practice deemed too risky in light of evolving phishing tactics.
- Lab Environments: Employees in labs requiring decontamination procedures needed a solution that could withstand these processes. USDA piloted FIDO-enabled security keys designed to endure harsh environments while maintaining robust security.
Through its centralized ICAM system, USDA was able to incrementally deploy FIDO authentication across its ecosystem, protecting over 600 applications. The implementation included key services such as Windows desktop logon, Microsoft 365 access, Virtual Private Network (VPN) connections, and SSO-based applications.
Key Takeaways from USDA’s Success
USDA’s journey offers invaluable lessons for organizations striving to enhance their cybersecurity posture:
- Centralization is Key: By consolidating IT infrastructure, support, and security operations under a single authority, USDA streamlined its ability to deploy phishing-resistant MFA solutions efficiently. Centralized SSO platforms and hybrid cloud identity solutions were instrumental in this process.
- Incremental Improvements: USDA’s philosophy of “always be piloting” allowed for continuous innovation. By conducting small-scale pilots, the organization identified potential challenges and refined its approach before broader implementation.
- Phishing Resistance Matters: The USDA’s reliance on FIDO demonstrates the necessity of modern MFA solutions. Legacy methods such as SMS or push notifications are no longer adequate against sophisticated phishing attacks.
- Tailored Solutions for Unique Needs: USDA recognized that one size does not fit all. Their deployment of FIDO security keys for lab workers and other non-traditional use cases underscores the importance of flexibility in authentication strategies.
Results: Phishing-Resistant MFA at Scale
By integrating FIDO with its SSO platform and hybrid cloud identity solution, USDA enabled phishing-resistant authentication for over 600 applications. Key use cases included:
- Windows desktop logins
- Microsoft 365 access
- VPN authentication
- Single Sign-On (SSO)
Additionally, USDA introduced a centralized HR application as the authoritative source for identity lifecycle data. This automation streamlined credential provisioning and deprovisioning for employees, enhancing both security and efficiency.
Why This Matters
Credential phishing remains a leading attack vector, with legacy MFA often failing to protect against bypass attempts. Solutions like FIDO and public-key infrastructure (PKI) are critical to countering these threats.
USDA’s example demonstrates that transitioning to phishing-resistant MFA is both achievable and essential. By leveraging modern technologies and fostering a culture of continuous improvement, organizations can significantly reduce their risk of compromise.
