CISA Authentication and Passkeys: Why MFA is Not Enough

1. Introduction: CISA and Passkeys#

The Cybersecurity and Infrastructure Security Agency (CISA) plays an important role in safeguarding the nation's digital infrastructure. As a U.S. government agency, CISA is tasked with leading efforts to protect and enhance the security of the nation's cyber ecosystem. With increasing cyber threats, CISA regularly updates its guidelines and recommendations to address risks and ensure that both public and private sectors are equipped with the necessary tools and strategies to mitigate those risks.

In August, CISA extended its Secure by Design guide. This update specifically highlights passkeys for authentication. Let’s take a look, why this is the case.

2. Secure by Demand Guide and Passkeys#

The Secure by Design guide is a document that outlines best practices and security protocols to help organizations develop and maintain secure systems. The latest extension (Secure by Demand Guide) explicitly incorporates passkeys into its recommendations. This inclusion is not an isolated event but rather a continuation of a broader trend across various security frameworks, including the Essential Eight and NIST (National Institute of Standards and Technology) guidelines, which have also begun to emphasize the importance of passkeys.

The focus on passkeys is driven by a critical realization: while multi-factor authentication (MFA) significantly enhances security, it does not fully address the threat of phishing - a major cause of account takeovers. Traditional MFA methods, such as SMS-based codes or authentication apps, can still be vulnerable to phishing attacks where malicious actors trick users into revealing their credentials. This vulnerability underscores the need for a more resilient form of authentication.

Passkeys, which are based on public-key cryptography, offer a solution to this problem. Unlike traditional MFA methods, passkeys are inherently phishing-resistant because they do not rely on shared secrets that can be intercepted or tricked out of users. Instead, they use a combination of a private key stored on the user's device and a public key stored on the server. This ensures that even if a user is targeted by a phishing attempt, their credentials cannot be stolen or misused as the browser denies its use.

The push towards passkeys as a standard for authentication reflects that only phishing-resistant methods can truly protect users in today's landscape. Governments and organizations worldwide are recognizing that passkeys represent the future of secure authentication, offering a more user-friendly and secure alternative to traditional MFA.

3. Conclusion#

MFA alone is no longer sufficient to protect against sophisticated phishing attacks. Phishing-resistant MFA is becoming the gold standard in authentication. The FIDO (Fast Identity Online) Alliance has been instrumental in this shift, advocating for stronger, more secure authentication methods for years. Their work, along with contributions from early pioneers like Yubico, has laid important groundwork for the adoption of WebAuthn – the web standard underlying hardware security keys and passkeys.

As passkeys continue to gain traction, they offer a promising future where secure, phishing-resistant authentication is accessible to everyone. This shift is not just a technological upgrade but a fundamental change in how we approach digital security.

In conclusion, while MFA has served as an essential layer of security, the future lies in phishing-resistant multi-factor authentication. Passkeys are the only technology for consumers offering a secure, seamless, and resilient way to protect against the prevalent cyber threats. As we move forward, the adoption of passkeys will be crucial in building a safer and more secure digital world that allows all consumers to benefit from the same security security keys have brought to high-tech and govermantal companies via security keys.

Frequently Asked Questions#

Why does CISA consider standard MFA insufficient for protecting against modern cyber threats?#

CISA's Secure by Demand Guide recognizes that traditional MFA methods, including SMS-based codes and authenticator apps, remain vulnerable to phishing attacks where malicious actors trick users into revealing their credentials. Because phishing is a major cause of account takeovers, CISA now explicitly recommends phishing-resistant methods such as passkeys as the stronger alternative.

How do passkeys technically prevent phishing attacks in a way that SMS MFA cannot?#

Passkeys rely on public-key cryptography with no shared secret that an attacker can intercept or social-engineer out of a user. The browser enforces origin binding, meaning it will deny the use of a passkey on any site that is not the legitimate registered origin, making credential theft via phishing technically impossible.

Which government and compliance frameworks currently recommend passkeys for enterprise authentication?#

CISA's Secure by Demand Guide published in August 2024 explicitly includes passkeys, and this recommendation aligns with a broader trend also reflected in the Essential Eight and NIST guidelines. Together these frameworks signal that phishing-resistant MFA is becoming the regulatory gold standard for secure authentication across both public and private sectors.

What role has the FIDO Alliance played in driving passkey adoption for enterprise security?#

The FIDO Alliance has been instrumental in advocating for stronger authentication methods and, along with early pioneers like Yubico, laid the groundwork for WebAuthn, the web standard underlying both hardware security keys and passkeys. CISA's Secure by Demand Guide directly references this shift toward phishing-resistant authentication championed by the FIDO Alliance.