US CISA Official: 'Forcefully Nudge' Users to Adopt MFAMFA Is the Internet Equivalent of Seat Belts in Cars, Jen Easterly Tells Conference
The time for customer coddling over multifactor authentication must end, top U.S. government cybersecurity officials told an industry audience.
Security practitioners have long touted multifactor authentication, in which anyone logging onto a system must present additional evidence of legitimacy besides a password, such as a one-time code. Especially when tied to a hardware fob, multifactor makes it significantly harder for hackers to penetrate systems. But years - now turning into decades - of MFA evangelism haven't translated into widespread adoption.
For Cybersecurity and Infrastructure Security Agency Director Jen Easterly, there's an available solution: Make multifactor the default option, rather than a consumer choice.
Easterly said vendors should "forcefully nudge" users into MFA and offer a more complete feature set for users who want it. The audience she spoke to was receptive: Easterly delivered a prerecorded video address Monday to nearly 500 people in Seattle for a FIDO Alliance conference. The alliance is an industry association whose unofficial motto is "Kill the password."
She said industry leaders should learn from auto industry campaigns in the late 20th century that got more drivers and passengers to wear seat belts.
"We need seat belts and airbags that are built in, not aftermarket add-ons," Easterly said. "MFA is the seat belt of the information superhighway. Vendors should care because safety and reputation are intertwined, and safe by default and safe by design is good for strategic and reputational growth. Let's move the responsibility of staying safe away from customers to our incredibly capable vendors."
Easterly also called for "radical transparency," saying vendors should publish MFA uptake adoption numbers, particularly for privileged users such as system admins.
Microsoft is one of the only companies that has published information about MFA usage, said CISA Senior Technical Adviser Bob Lord, who attended the conference in person. The Seattle-area software giant found that just 1 in 5 users had adopted MFA. Lord compared the situation to seat belts during the 1970s, which at the time were available in most vehicles yet were only being worn by a minority of drivers and passengers.
"Availability is not enough," Lord said. "We see far too many organizations failing in part because they have no idea they need to do MFA. And that's because they don't have something that is nudging them in the right direction."
Vendors should automatically produce monthly reports for their customers that detail trends around MFA adoption and point a finger at senior management users who are dragging their feet, Lord said. CISA also wants to ensure customers aren't being charged more for security features such as logs or single sign-on, which Lord said should be built in to maximize safety rather than treated as luxury goods.
"We want to shift the burden to the organizations that are best positioned to really drive improvements," Lord said. "What would it look like for my organization to take real ownership of the security outcomes of all of my valued customers?"