Five Senators have discovered that the State Department is breaking the law by not using multi-factor authentication (MFA or 2FA) in its emails. They’ve sent a letter to Secretary of State Mike Pompeo, and they want answers.
The letter, from Senators Ron Wyden, Cory Gardner, Edward Markey, Rand Paul and Jeanne Shaheen, referenced reports from federal auditors that the Department of State was failing to meet basic federal cybersecurity standards.
The General Services Administration (GSA), which is the US department dealing with government procurement, property management and information delivery, analysed federal cybersecurity this year, stated the letter.
The GSA’s report found that the Department of State had deployed “enhanced access controls” across just 11% of required agency devices.
MFA or 2FA requires users to enter a second piece of information along with their password. This is linked to a physical asset that only they hold, thwarting imposters trying to steal their accounts remotely. That second piece of information could be biometric, such as your fingerprint; a hardware key, such as Google’s recently-announced dongle; or a code delivered to a mobile phone.
Federal agencies in the Executive Branch are legally required to enable 2FA for any accounts with elevated privileges under the Federal Cybersecurity Enhancement Act, passed as part of an omnibus spending bill in December 2015.
This wasn’t the only blot on Pompeo’s copybook, according to the Senators. They said that according to the Department of State’s Inspector General, one third of diplomatic missions failed to conduct…
…even the most basic cyber threat management practices, like regular reviews and audits.
Penetration testers also successfully hacked email accounts along with applications and operating systems at the Department, the letter said. It added:
We are sure you will agree on the need to protect American diplomacy from cyberattacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA.
The Senators demanded that Pompeo’s Department respond by October 12, telling it what actions it has taken to remediate the classification of its cyber-readiness as “high-risk” by the White House’s Office of Management and Budget (OMB). Although not explicitly mentioned, the letter is likely referring to a May OMB report on cybersecurity that categorised almost three quarters of the 96 Federal agencies as at risk or high risk.
The letter also asked what the Department of State has done to fix the “near total absence” of MFA-enabled accounts, and asked for statistics detailing the number of cyberattacks against Department of State systems located abroad.
The importance of MFA shouldn’t come as a surprise to the State Department. In February 2016, then-President Obama announced federal initiatives to improve cyber security awareness, including a national 2FA awareness campaign.
Unfortunately, not many people outside the government seem to be paying attention either. MFA is readily available to many consumer email users, including Gmail’s one billion users.
Seven years after Google introduced two-step verification (its own implementation of MFA), fewer than one in 10 people use it, according to one of its engineers.
It seems that Joe Public is even further behind the Department of State in the account security stakes.
Mahhn
Yes the public is further behind because; real 2FA is not common in the consumer market (messages to a phone don’t count), companies like the google aren’t trusted enough to be taken seriously, and number one – it’s a bother.
One more- Our data has been exposed so m a n y times, people feel data defeated, leading them to “why bother” syndrome… A better solution is waiting to be discovered.
Anon
Real 2FA/MFA is very common in the consumer market. Just look at almost any cloud service (FB, Gmail, Instagram, LastPass, etc) and they all support multiple types of MFA. With MFA it doesn’t matter if you trust Google. You just have to trust math and the algorithm that generates the OTP.
Your last point is irrelevant to this article. It is about security diplomatic communications and protecting classified information. This is about government data not the normal consumer PII that has been exposed everywhere that you seem to be referring to.
Paul Ducklin
Assuming that by MFA you mean “an app that generates a unique sequence of pseudorandom numbers that depends on the time and date” (what’s known as TOTP), then…
…yes, you do have to “trust Google”, or whoever the service provider is that you are logging into, *and* you have to trust the vendor that made the TOTP app you are using to generate the codes at login time.
TOTP is basically what’s known as a “keyed hash” that requires each end of the login process to store and use a pre-shared key. Anyone who knows that key can produced the right sequence of numbers for evermore.
So you don’t just have to “trust the mathematics”. You gave to trust that your TOTP key doesn’t leak, either from the provider you are connecting to or from the authenticator app you have chosen to use.
One thing I quite like about SMS codes, if you ignore the issue of SIM swaps, is that there is no pre-shared key or “seed” in the process. Each login code is just a one-time number generated by the login provider, so there is no hidden secret key that would let an attacker figure out what code comes next – there is no predictable “code sequence”.
Joe
I like redundancy. A user ID and password work with any device, and if one fails, I can walk to (or buy) another. 2FA requires either SMS (dead phone battery, no access on computer) or a fob. Hardware breaks, usually just when you need it.
Not only that, but I have enough different accounts I need to sign into regularly, that I need the process to be fully automatic. Entering a 2FA key into every account, every time is just a non-starter.
If there is a solution to the hardware failure issue and the convenience issue, I’m all ears.
Paul Ducklin
Part of the problem – one can argue – is this increasing demand for “frictionlessness”. People don’t want to logout in case it takes 10 seconds to log back in. They won’t shut their laptop down and let the RAM go blank because booting up takes 17 seconds but unhibernating only takes 8 seconds.
2FA is *meant* to add a tiny bit of inconvenience for the greater good of all :-)
(Just like the 20mph speed limit on St Giles’s in Oxford that no car driver ever seems to respect, even when it means squeezing past a bunch of bicycles because they need to get to the red light at the Martyrs’ Memorial two seconds faster so all the bicycles can overtake them and get in front again. More haste, less speed, etc.)
Paul Ducklin
Been thinking about this. In about five years of using 2FA with some degree of religiosity, I have suffered an SMS outage exactly once (nearby mobile phone power damaged by heavy wind; I simply went 2km down the road to another coffee shop, problem solved) and an authenticator app outage exactly once (left my phone at home; I used a backup code I had stashed securely earlier on and promised myself not to forget my phone again). Ironically, I’ve had many more (though still not very many – just a handful) other types of system failure, such as server crashes outside my control, that meant I couldn’t work anyway, with or without 2FA.
In other words, my experience with 2FA, using a mixture of SMS, token and app based second factors, has seen me “stranded” once in five years, for the time it took to take what turned out to be a perfectly pleasant 2km walk. If I had felt like digging out a backup code I could have been back online in two minutes, but the sun was out and the walk did me good.
My experience with technology in general – using a laptop to login and work – has seen me “stranded” about 10 times in the last five years, never for more than 30 minutes, and usually for about the same length as, say, a toilet break. So my own experience says that when people insist that 2FA “is a problem waiting to happen”, they are probably allowing themselves to be frightened of shadows.
Mahhn
Thinking out loud here – if I had a BT fingerprint reader, that would take my fingerprint and generate a token when connected to my phone, which would be the 2FA key. That would be good to me – the BT fingerprint reader is separate from my phone, the reader won’t make the right code without my fingerprint. If the phone AND token get stolen/lost they still won’t let someone in. Well yeah they could take my finger. But still seams more secure than just a token/key, or relying on just a phone. Sophos, will you make that please. Thanks
Paul Ducklin
I think that people want a fingerprint reader that’s *in* their phone, or else they have to carry *two* things…
…errrr, and they already have a fingerprint reader in their phone.
Mahhn
my view is not to be relying on just one device for all authentication.