Overview

The U.S. Department of Agriculture (USDA) has announced the use of Fast IDentity Online (FIDO) protocols, a new solution for phishing-resistant authentication. This shift to FIDO-based multi-factor authentication (MFA) has proven successful in securing USDA systems against credential theft and phishing attacks.

With many seasonal employees and workers in specialized environments, such as laboratories requiring decontamination procedures, USDA cannot fully rely on Personal Identity Verification (PIV) cards, which are typically used for secure authentication across government agencies.

USDA’s workforce includes not only full-time employees but also a large number of seasonal workers who are ineligible for PIV cards. Furthermore, certain USDA staff work in environments, such as bio-containment labs, where standard PIV cards cannot survive the decontamination processes required.

Historically, USDA managed this by providing users with temporary user IDs and passwords. However, as credential phishing attacks became more sophisticated, the USDA found this approach increasingly vulnerable to cyber threats.

USDA identified the need for a secure, phishing-resistant authentication method that would work across a variety of environments and use cases. The agency needed to move beyond passwords and user IDs, adopting a solution that would meet modern cybersecurity standards while accommodating the unique needs of its workforce.

The Role of FIDO in Phishing-Resistant MFA

FIDO is a set of open standards designed to provide secure, passwordless authentication. Unlike traditional forms of MFA, which can still be vulnerable to phishing attacks, FIDO leverages public key cryptography to bind credentials to the user’s device. This approach is inherently resistant to phishing attempts because even if a malicious actor attempts to trick users into revealing their credentials, they cannot access the system without the physical device used for authentication.

The USDA’s decision to adopt FIDO was driven by its ability to prevent credential phishing—one of the most common and dangerous threats faced by organizations today. With FIDO, USDA employees can authenticate without passwords, using cryptographic keys stored on secure devices. This approach mitigates the risk posed by increasingly sophisticated credential phishing attacks that exploit the weaknesses of SMS codes, authenticator apps, or even push notifications.

The USDA’s Implementation Process

Before transitioning to FIDO, USDA’s Identity, Credential, and Access Management (ICAM) division conducted a thorough review of the agency’s needs. They identified key use cases where employees could not use PIV cards and where traditional MFA methods were insufficient.

These included seasonal workers, employees waiting for PIV cards, and those working in high-security or physically demanding environments where card-based solutions were impractical.

With a centralized identity management system already in place, USDA was well-positioned to implement a FIDO-based solution. The agency used Microsoft Entra ID to integrate FIDO capabilities, allowing them to extend phishing-resistant authentication to core services such as:

• Windows desktop login
• Microsoft 365 access
• Virtual Private Network (VPN) access
• Single Sign-On (SSO) systems

The centralization of USDA’s ICAM system under a unified platform allowed for more agile updates, enabling the rapid rollout of FIDO across various IT environments. By focusing on four main enterprise services, USDA was able to significantly reduce its exposure to phishing attacks while meeting the needs of its diverse workforce.

Key Features and Benefits of USDA’s MFA Solution

USDA’s adoption of FIDO technology was not just about protecting individual users—it was about addressing a systemic issue of security across the organization. FIDO protocols were integrated with USDA’s existing SSO platform, which serves over 600 internal applications. This integration allowed USDA to enhance the security of both cloud-based and on-premises systems, protecting users from more advanced forms of MFA bypass techniques.

FIDO’s support for hardware-bound authentication methods, like Microsoft’s Windows Hello for Business (WHfB) and FIPS-140 validated security keys, played a pivotal role. These devices are bound to the user’s hardware, making it almost impossible for a hacker to bypass the authentication process without physical access to the device.

Furthermore, USDA utilized its centralized human resources (HR) system as the authoritative source for identity lifecycle management, ensuring that access rights and credentials were appropriately provisioned and de-provisioned. This integration made managing user access more streamlined and secure, particularly as the agency transitioned to more cloud-based services.

The Significance of USDA’s FIDO Implementation

USDA’s early adoption of FIDO technology placed them ahead of the curve in implementing phishing-resistant MFA. Their solution aligns with the broader federal initiative outlined in the U.S. government’s Moving the U.S. Government Toward Zero Trust Cybersecurity Principles (M-22-0922), which mandates the transition to phishing-resistant MFA for federal agencies.

By adopting FIDO, USDA not only improved its security posture but also contributed to the federal push for Zero Trust cybersecurity, a model that assumes breaches are inevitable and advocates for continuous monitoring and verification of user access. FIDO, with its strong encryption and device-based authentication, is a critical part of this Zero Trust framework.

 Recommendations and Mitigations for Other Organizations

USDA’s experience with FIDO offers valuable lessons for other organizations looking to enhance their cybersecurity defenses against phishing and credential theft. The key takeaways from USDA’s implementation include:

1. USDA’s decision to centralize its ICAM systems under a unified platform helped streamline the deployment of FIDO technology. Centralization improves security, user management, and the agility needed for rapid deployments.
2. The USDA adopted a philosophy of continuous improvement, piloting FIDO implementations incrementally. By testing solutions on smaller, non-critical user groups, USDA was able to fine-tune its approach before a broader rollout.
3. Every organization has unique needs. USDA’s approach to understanding its use cases—such as employees without PIV cards or those working in specialized environments—enabled it to tailor its MFA solution to meet specific challenges.
4. USDA’s involvement in the ICAM community helped them stay informed about emerging threats and best practices. This collaboration provided them with the insights needed to implement a robust solution.

Conclusion

The USDA’s adoption of Fast IDentity Online (FIDO) for phishing-resistant multi-factor authentication (MFA) has strengthened its cybersecurity defenses. By using FIDO, USDA has protected its diverse workforce from credential theft and phishing attacks while ensuring secure access to online systems.

The agency’s centralized approach to Identity, Credential, and Access Management (ICAM) and its commitment to incremental improvements have been a key factor to this success. USDA’s implementation not only meets federal cybersecurity requirements but also exemplifies a proactive approach to Zero Trust principles.

Sources: https://www.cisa.gov/resources-tools/resources/phishing-resistant-multi-factor-authentication-mfa-success-story-usdas-fast-identity-online-fido

Related