The Fast Identity Online Alliance wants more buy-in from government to move forward with creating detailed guidance for implementing its phishing-resistant authentication standard targeted at federal agencies, according to stakeholders who participated in the development of an initial white paper.
"We appreciate and want government participation to get that practical insight and perspective” on how to establish a framework for FIDO authenticator implementation in the U.S. government, working group co-chair Teresa Wu said at a Tuesday event hosted by the FIDO Alliance.
The FIDO Alliance published a white paper in October on deploying FIDO access credentials in the federal identity ecosystem. Wu, vice president for identity solutions company IDEMIA, co-chaired the working group who developed the paper and is leading the effort to provide further guidance.
Teresa Wu, Vice President of Innovation and Client Engagement, IDEMIA
Wu participated in a discussion alongside other working group members MITRE’s Tom Clancy, Venable’s Zack Martin, LC&J Security Solutions’ Lisa Palma and Yubico’s Joe Scalone.
Clancy said the white paper represents “the first deliverable” from the government working group, emphasizing that the FIDO Alliance is committed to doing more to help the federal government deploy the authentication standard.
Wu added future workstreams will be aimed at gathering input from federal agencies on what else is needed.
The working group members said their next engagements will include educating U.S. government officials, promoting the white paper, developing additional documentation and organizing an in-person workshop in January to gather feedback.
The FIDO standard is discussed in the Office of Management and Budget’s zero trust strategy as an alternative to using the government’s Personal Identity Verification standards for multifactor authentication. As part of the strategy, OMB is requiring federal agencies to implement phishing-resistant MFA by the end of fiscal 2024.
The white paper was developed in response to a request from OMB and the Cybersecurity and Infrastructure Security Agency, according to the working group members.
The PIV standard was designed as an identity credential for physical access control and digital authentication in certain settings, Wu explained, describing it as a “very versatile identity credential.”
PIV is standardized for use by federal employees and contractors who need access to federally controlled facilities, applications and information systems in the National Institute of Standards and Technology’s Federal Information Processing Standard 201-3.
Clancy said FIDO authentication is meant to be a “complementary architecture” to use when PIV is not accessible, such as for some government contractors and in cloud environments.
Palma clarified that the FIDO standard is specifically designed to meet the OMB’s requirement for phishing resistance, providing an alternative credential for certain cloud services and for other types of technology that cannot use PIV authentication, as well as for users who only need interim or temporary access credentials. Palma added the FIDO Alliance is not trying to replace PIV or provide physical access controls. -- Jacob Livesay (jlivesay@iwpnews.com)