For the national security workforce, COVID-19 has been destabilizing and transformative. In addition to the personal hardships, Pentagon employees have had to adjust to completely new ways of working. For many, it is the first time they have been able — or in some cases forced — to work from home.
In response to the pandemic, the Department of Defense — an agency with millions of employees whose work requires access to sensitive data — has invested heavily in enhancing its ability to support remote work. Part of this has significantly increased reliance on multifactor authentication, or MFA, to secure the work devices of employee’s operating in a distributed environment. Any cybersecurity expert will tell you that MFA is crucial to securing the U.S. government’s investment in remote working capabilities.
Yet there is risk here: Some of the current solutions being explored to enable distributed work environments — most notably mobile-based MFA — are plagued by security, cost and user experience concerns when utilized in a remote working environment.
For defense employees and contractors to access government applications and services through mobile-based MFA, they currently have two options: use a government approved and issued device (a “work phone”), or use a personal device.
Both of these scenarios present their own set of issues.
Scaling government-issued mobile devices would require agencies to substantially increase the number of smartphones they are purchasing in order to field devices in the required numbers. On the other hand, allowing employees to use their personal devices presents potential security concerns and surfaces for hackers to enter secure systems through inadequately secured personnel devices.
There are other reasons not to support the use of mobile-enabled MFA. Experts agree that SMS/OTP — text message verification codes — do not provide high-grade authentication security.
A recent IBM report examined 500 hacks of organizations and found that the vast majority of these breaches were the result of compromised employee accounts, some of which were the result of less secure methods of MFA utilizing SMS or mobile phone applications. Costs from these attacks averaged nearly $4 million per company, and costs associated with a lost phone — measured by losses in productivity and replacement costs — add even more unplanned expenditures.
One promising solution is the public key infrastructure, or PKI, framework. These public key certificates provide digital signatures and encryption capabilities that provide identification and authentication, secure data integrity, and confidentiality.
PKI technology is widely deployed across the DoD in the form of common access cards, or CAC. In addition to functioning as an ID card, CACs grant access to computers and relevant networks through MFA via a password-and-CAC-card combination. Whether they know it or not, every defense employee — both military and civilian — utilizes a PKI-enabled CAC every time they log on to their government computer.
In a remote work environment, however, the CAC falls short because it requires a smart-card reader to enable the device to accept the user’s security certificates. Fielding a smart-card reader for every employee to use at home would be prohibitively costly and logistically complicated.
Luckily, there are alternatives to CAC cards that rely on the same PKI technology. These devices provide high levels of security and are quickly and easily deployable. In fact, the DoD has approved the use of various non-CAC PKI technologies on both low- and high-side platforms.
As the DoD continues to try to find the right answer when it comes to secure and efficient MFA technology, it should give a second look to some of the PKI devices out there that it has already approved for use on its systems. These technologies are proven to be secure and can be scaled rapidly to meet demand.
Jeff Phillips is the vice president of the public sector for the IT security firm Yubico.