Okta Helps Federal Agencies Easily Deploy Phishing-Resistant MFA

A recent report from the Anti-Phishing Working Group (APWG) revealed phishing attacks for the first quarter of 2022 exceeded one million—the highest on APWG record. As attacks increase, it’s reasonable to expect targeted phishing attacks to increase as well. 

The U.S. government is defending itself against this growing threat via mandates and legislation designed to improve cybersecurity efforts. For example, The Office of Management and Budget (OMB) recently released a Federal Zero Trust Strategy (OMB M-22-09), designed to support Executive Order 14028, "Improving the Nation's Cybersecurity." 

One of the main priorities outlined is the implementation of phishing-resistant multi-factor authentication (MFA) capabilities for workforce and customer experiences. Federal agency CIOs are under pressure to ensure their cyber defenses meet this objective by the end of Fiscal Year 2024.

How Okta delivers phishing-resistant capabilities

At Okta, we support the two major phishing-resistant authenticators described in OMB M-22-09: Primary Identity Verification (PIV) and Web Authentication (WebAuthn). This capability aligns agencies with OMB M-22-09's MFA requirements, which state that public-facing agencies must implement phishing-resistant authentication methods by January 2023. To provide this capability, OMB requires "support for Web Authentication-based approaches, such as security keys." 

Okta’s support for FIDO2 Web Authentication (WebAuthn) follows the FIDO2 standard that allows users to leverage security keys and biometric data (fingerprints, facial recognition, etc.) to authenticate their identity. Once WebAuthn is enabled for your users, an administrator can adjust the user verification policy to allow for WebAuthn-enabled MFA. 

Our second feature, the Smart Card IdP, supports the NIST SP 800-63 requirement regarding verification. NIST states that all services interacting with the general workforce and internal agency systems accessed by outside employees and contractors are only accessed by users that "hold a valid government-issued credential, primarily the Personal Identity Verification (PIV)." 

This smart card functionality also allows end users to substitute passwords and usernames with a federal smart card, often a Personal Identity Verification (PIV) card or Common Access Card (CAC)

Additional resources

As agencies become more security conscious with the proliferation of remote work and securing their networks to meet White House guidelines, their authentication methods must not be susceptible to phishing attacks. 

For more details on implementing phishing-resistant MFA with Okta, please see these technical documents: