Identity and access management guidelines from CISA and NSA.
By Tim Nodar, CyberWire senior staff writer
Oct 6, 2023

NSA and CISA offer some advice for organizations negotiating the trade-offs involved with single sign-on.

Identity and access management guidelines from CISA and NSA.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released guidance on addressing challenges related to identity and access management, Nextgov reports. The guidance focuses on “technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.”

The trade-offs involved with single sign-on.

The agencies offer the following recommendations for organizations to address the tradeoff between SSO functionality and complexity:

  • “Research into the development of a secure-by-default, easy to use, SSO system to address these gaps in the market. For example: Relying Party vendors could provide security configuration recommendations and their impact. Additionally, management of lifetime tokens such as ID token, Access Token, and Refresh Token should come with a reasonable secure default value which prevents abuse scenarios.
  • “IAM Vendors can aid in the detection of insecure implementations of identity federation protocols and work with the ecosystem to build awareness around these issues as well as improve the adoption of more secure uses of standards.”

Concerns about MFA employment.

Eduardo Azanza, CEO at Veridas, sees the guidelines as a call for stronger authentication techniques. “CISA and NSA’s new guidelines raise concern around the ability for organizations to securely employ Multi-Factor Authentication (MFA) technologies. These guidelines underscore the need for organizations to establish stronger authentication methods,” he wrote in emailed comments.

Among the technologies available are various biometric modalities. “Considering these guidelines, businesses must pivot toward integrating biometric authentication, such as facial or voice recognition, into their MFA process. Facial and voice recognition offer a multifaceted solution that addresses both security and user experience concerns,” Azanza said. They are a convenient yet highly secure means for users to verify their identity without the need for external validation codes or passwords, which often lead to frustration among individuals.  

And, he adds, vendor selection remains important. “However, it is important for businesses to choose vendors that are in alignment with certifications such as NIST, which evaluates the quality and security of their technologies. With the best biometric technology, businesses can significantly improve their MFA methods and overall improve their cybersecurity posture.”