Defense Department urged to expedite incorporation of antiphishing authentication technologies
Headline: Defense Department Pushes Ahead with Phishing-Resistant Authentication, Urged by Congress
The Defense Department is making strides in modernizing its Identity, Credential, and Access Management (ICAM) ecosystem, focusing on phishing-resistant authentication methods. This push comes as both the House and Senate urge the department to expedite the adoption of these advanced security measures [1][3].
The department's new authentication platform, myAuth, is designed to replace the legacy DS Logon system. myAuth is compatible with the Common Access Card (CAC) authentication and includes Okta FastPass, a phishing-resistant Authenticator Assurance Level 3 (AAL3) solution [2].
Okta, a key player in the ICAM ecosystem, is committed to promoting interoperability and has pursued both FedRAMP High and DoD IL4/IL5 authorizations simultaneously, streamlining the process and maximizing efficiencies by leveraging compliance documentation across both programs [4].
The House has expressed concern over the Defense Department's slow progress in retiring legacy IT security practices vulnerable to phishing attacks. The Senate Armed Services Committee acknowledges that few approvals for new multifactor authentication technologies have successfully made it through in the Defense Department [6].
One reason for this delay is the DoD's requirement for additional certifications for systems that handle mission-critical data. Many MFA providers in the ICAM industry are Software-as-a-Service (SaaS) platforms, which may have delayed the DoD's adoption of these advanced technologies compared to civilian agencies [7].
In contrast, civilian agencies continue to rely heavily on training and periodic phishing exercises alongside existing MFA solutions but may not have uniformly implemented the most phishing-resistant technologies like FIDO/WebAuthn at scale yet [4]. The Defense Department's approach is more focused on technically robust authentication methods that reduce phishing risk at a protocol level rather than through user education alone [1][3].
However, it is important to note that attackers continue adapting, finding ways to circumvent even phishing-resistant mechanisms through downgrade or other sophisticated attacks, though such methods remain less effective against properly implemented passkey-based systems [5].
To address this, the Senate version of the defense bill requires the Defense Secretary to develop a strategy to ensure phishing-resistant authentication is used by all personnel of the DoD. The strategy must include an action plan for the deployment of phishing-resistant authentication across the department and retirement of legacy authentication tools by the end of fiscal 2027 [8].
The House Armed Services Committee is not aware of commensurate progress in the Defense Department in adopting phishing-resistant multifactor authentication (MFA). myAuth, with its compatibility with CAC authentication and inclusion of Okta FastPass, is a step towards addressing these concerns [2].
Sources:
- Nextgov
- Okta
- Federal News Network
- CyberScoop
- CyberScoop
- Nextgov
- Nextgov
- Nextgov
The Defense Department's new platform, myAuth, incorporates Okta FastPass, a phishing-resistant Authenticator Assurance Level 3 (AAL3) solution, demonstrating their commitment to implementing advanced cybersecurity technology. As both the House and Senate have urged expedited adoption of phishing-resistant authentication methods, myAuth serves as a significant stride towards meeting these demands.
