August 22, 2023

Today, we sit down with Bryan Rosensteel from Ping Identity to have him share insight on some of the wording on the OMB 22-09 memorandum from January 26, 2022. Part of its recommendations are to move to strong authentication. Some think that MFA comes under the rubric of “strong.” Bryan gives some examples of how MFA can be overcome.
Everyone reading this has had a situation where you log into a site, and you are sending a six-digit number. This is one way to apply multifactor authentication to identity management. However, malicious actors can use a technique called man-in-the-middle where they can emulate the website and the victim can yield the six digits needed.
Bryan details what happens in something called “MFA fatigue.” An attacker may use a script to repeatedly send your phone some kind of verification message. In true human fashion, you may get sick and tired of the messages and just accept them. Et voila, they are in your system.
" . . . we're gonna build that trust, we're gonna give them this trusted credential that they can use to establish themselves during authentication, and bring them into applications"
Bryan Rosensteel, Ping Identity Tweet
During the interview, Bryan Rosensteel applies his considerable federal experience in identification to help you understand where basic MFA can be applied and when to move on to more appropriate methods of identification.
Instead of just a mere six-digit code, you may want to use a physical device like a CAC card to prove your identity. In cases like phone access where cards are not practical, you can take it to the next level. A person seeking identity verification can be identified by technology to know where you are, what kind of connection they are using if you are deploying a usual device, and even the time of day.
Federal systems are being attacked every day; it is best to understand some of the options; you must understand some of the variations on “strong” verification.
If you enjoyed this article, you may want to listen to Ep. 84 Is the API the Network?

John Gilroy
John Gilroy appeared on National Public Radio in Washington DC for 25 years. He has written 523 technology columns for The Washington Post. Currently, John is an award-winning lecturer at Georgetown University. Forgot to mention — he has recorded over 1,000 podcast episodes.
Leave a Reply