FIDO Alliance releases U.S. government adoption guidance on FIDO authentication

By admin
Many federal agencies have been using FIDO authenticators to enable secure access to systems for a variety of use cases. However, they have been deployed in varied configurations and there was a lack of guidance on how to implement the credentials. With the release of a new whitepaper, FIDO Alliance Guidance for

U.S. Government Agency
ORG

Deployment of FIDO Authentication, federal agencies who are looking to issue FIDO-based, phishing-resistant multi-factor authentication (

MFA
ORG

) solutions, such as the

YubiKey
ORG

to augment existing

Smart Card
PRODUCT

credentials, have some help.

In collaboration with government and industry leaders,

Yubico
PRODUCT

partnered with the FIDO working group to provide guidance to help agencies wanting to deploy FIDO authenticators as a phishing-resistant technology. The whitepaper highlights areas where FIDO offers the best value to address

U.S.
GPE

government use cases as an enhancement of existing infrastructure, while minimizing rework, as agencies advance their

Zero Trust
ORG

strategies with phishing-resistant authentication tied to enterprise identity. Additional important highlights include:

Review of the policy and guidance that enables the use of FIDO technology

A look at what agency actions need to take place before deploying FIDO, including adopting single sign-on (SSO), implementing a Digital Identity Risk Assessment Process, and implementing an integrated identity lifecycle management program.

Review of the FIDO-specific architectural consideration and recommended agency actions

Details of the user journey for someone using a FIDO credential

Discussion of lessons learned from previous FIDO implementations

The

U.S.
GPE

government has been emphasizing the importance of using only phishing-resistant

MFA
ORG

for

almost two years
DATE

, dating to the

January 2022
DATE

publication by

the White House Office of Management and Budget
ORG

(OMB) of

Memorandum 22-09
LAW

. While this

OMB
ORG

policy enables the use of authenticators that use the phishing-resistant FIDO2/WebAuthn standards, many agencies have been lacking guidance on how to actually deploy and manage them in a

PKI
ORG

-centric ecosystem. That’s where this new guidance will help.

The document will help agencies seeking to deploy YubiKeys to employees and contractors as an additional authenticator alongside

Personal Identity Verification
ORG

(PIV) and

Common Access Card
ORG

(

CAC
ORG

), as well as those looking to issue YubiKeys to personnel who are not

PIV
ORG

or

CAC
ORG

eligible. This is the

first
ORDINAL

in a series of documents the FIDO Alliance plans to release to support federal agency deployments.

——

To read the full whitepaper from

the FIDO Alliance
ORG

, visit here. See how modern security is helping the

Federal Government
ORG

battle rising cyber threats in our new infographic here.