US NSA releases guide to multifactor solutions

By Dylan Bushell-Embling
Thursday, 24 September, 2020

The US National Security Agency (NSA) has released new guidance on selecting and safely using multifactor authentication (MFA) solutions for government systems.

The guide for National Security System, Department of Defense and defence industrial base users is designed to help end users more securely select and use MFA capabilities.

According to the NSA, while it has been provided for government agencies, the guidance may be useful for broader audiences.

The information sheet reviews commonly used MFA mechanisms against National Institute of Science and Technology standards.

According to the guidance, factors that should be considered when evaluating an MFA solution include whether it adequately protects authenticators from common exploitation techniques, whether communications among components of the standard are adequately encrypted, and whether the solution provides support for managing the life cycle of digital identities and authenticators.

The agency is advising that multifactor authentication solutions should always be used with government-furnished equipment. Where possible, agencies should select a solution that is managed and intended for government use only.

If this is not feasible, agencies should use a temporary secure operating system or, failing that, create a separate user account with low privileges for only work use.

The guidance adds that agencies should be careful to ensure all components of the authentication solution are securely integrated into their servers, and to train all end users in the use of the solution selected.

Image credit: ©stock.adobe.com/au/bestforbest