[Posting a best-effort version of an external comment that came in through email below.]
On #1
I applaud your goals to move to multi-factor authentication of users AND devices, but the statement doesn’t go far enough. Agencies should be tasked with eradicating passwords everywhere it is feasible and prudent. Only accepting a password factor when risk or cost does not establish a sound business case to go password-less. Any static credential can be replayed, so we have to move on.
On #4
a. Identity guidance as a task to OMB under email and collaboration is potentially too short sighted. Identity is key to security and enabling mission, so Identity should be it’s own element within Item 3 of the implementation plan – Improve Existing and Provide Additional Security Shared Services.
b. Within the identity element, or if it remains in Item 2 - Accelerate Adoption of Cloud Email and Collaboration Tools, they need to add specific agency tasking to inventory and plan the systems and credentials that can migrate to multi-factor, with a focus on what you have and what you are – passwordless.
c. This should also include a recommendation to use commercial identity providers because it is economically prudent, allows for options, spreads risk, and the private sector can out-innovate the government every single time.
d. To that end, you may want to consider something about login.gov. It is a GOTS tool, and is counter to this IT mod plan which is private-sector/commercial first. It is creating a single id for citizens, and is right now leveraging 2 technologies NIST has already stated are weak – passwords and SMS text. I’ll let you figure out the right balance of criticism here.
[Posting a best-effort version of an external comment that came in through email below.]
On
#1I applaud your goals to move to multi-factor authentication of users AND devices, but the statement doesn’t go far enough. Agencies should be tasked with eradicating passwords everywhere it is feasible and prudent. Only accepting a password factor when risk or cost does not establish a sound business case to go password-less. Any static credential can be replayed, so we have to move on.On
#4a. Identity guidance as a task to OMB under email and collaboration is potentially too short sighted. Identity is key to security and enabling mission, so Identity should be it’s own element within Item 3 of the implementation plan – Improve Existing and Provide Additional Security Shared Services.
b. Within the identity element, or if it remains in Item 2 - Accelerate Adoption of Cloud Email and Collaboration Tools, they need to add specific agency tasking to inventory and plan the systems and credentials that can migrate to multi-factor, with a focus on what you have and what you are – passwordless.
c. This should also include a recommendation to use commercial identity providers because it is economically prudent, allows for options, spreads risk, and the private sector can out-innovate the government every single time.
d. To that end, you may want to consider something about login.gov. It is a GOTS tool, and is counter to this IT mod plan which is private-sector/commercial first. It is creating a single id for citizens, and is right now leveraging 2 technologies NIST has already stated are weak – passwords and SMS text. I’ll let you figure out the right balance of criticism here.
Ori Eisen Trusona CEO