Cybersecurity standard
Experts Believe Administrator System is Necessary for Cryptography-Based Security
Several industry leaders have expressed concerns about a Biden administration executive order that seeks to replace passwords with cryptographic keys. One of the main concerns is the lack of a single governing body that would oversee login credentials.
Silas Calhoun, chief of the Department of Defense’s identity credential and access management division, said the agency is looking at how to centralize and manage identity information. Speaking at an Advanced Technology Academic Research Center-sponsored webinar about the Fast Identity Online Alliance system, Calhoun shared that there is no centralized infrastructure for non-Public Key Infrastructure security platforms. He noted that having a single governing body will ensure that security measures can be distributed across multiple organizations within a network in case something is lost or stolen, Nextgov reported.
Speaking at the same webinar, Yubico Public Sector Vice President Jeff Phillips said the concept of an administrator is missing in the FIDO system. He believes that once an administrator system is applied, the architecture would be more widely implemented.
The concerns stem from President Joe Biden’s May executive order that seeks to improve security measures through zero trust architecture. According to the EO, officials will be given a cryptographic key similar to a personal identity verification or a common access card. The system is designed in a way that phishers would not be able to extract login credentials from unsuspecting users in the same way that bad actors can with traditional passwords.
Federal Chief Information Security Officer Chris DeRusha addressed some of the concerns in an interview with Nextgov. According to the federal CISO, federal agencies will need to procure devices that support FIDO2 and web authentication standards and phase out weaker approaches that offer less protection against phishing campaigns. His statement echoes a draft policy that the Office of Management and Budget issued in fall regarding the Biden EO.
Category: Cybersecurity