Solving MFA & IAM Developer and Vendor Challenges

Last updated on August 7, 2024

MFA & IAM developer and vendor challenges are the obstacles and difficulties that identity and access management (IAM) providers and developers face in implementing and maintaining secure and user-friendly multi-factor authentication (MFA) and single sign-on (SSO) technologies. These challenges include but are not limited to confusing definitions and unclear policy around different variations of MFA, the need for clarity, interoperability, and standardization amongst MFA variations, support for the strongest forms of MFA, such as PKI and FIDO2, reliance on self-enrollment, and lack of credential lifecycle management. Identity and access management (IAM) challenges such as these affect the ability of organizations to protect their data and systems from unauthorized access and cyberattacks.

In this article, we will explore some of the most important IAM & MFA challenges from the latest guidance and best practices document from CISA and NSA.

NSA and CISA Release “Identity and Access Management: Developer and Vendor Challenges”

Identity and Access Management (IAM) is a critical aspect of cybersecurity that involves verifying the identity of users and granting them appropriate access to resources. However, IAM can also pose many challenges for developers and vendors of IAM solutions, especially multi-factor authentication (MFA) and single sign-on (SSO).

MFA and SSO can enhance the security, convenience, and productivity of users and organizations. However, multi-factor authentication and single sign-on can also produce various technical, operational, and usability issues that can limit their adoption and effectiveness.

To address these issues, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published a document titled “Identity and Access Management: Developer and Vendor Challenges” on October 4, 2023. An NSA and CISA-led working panel developed the document through the Enduring Security Framework (ESF), which is a public-private cross-sector working group that provides cybersecurity guidance addressing high-priority threats to the nation’s critical infrastructure.

Unpacking The Most Important IAM Challenges

The IAM developer and vendor challenges document provides actionable recommendations for IAM (MFA and SSO) solutions to overcome the key challenges in their products.

We selected the IAM and MFA developer and vendor challenges we deem most important. These challenges are:

1. Confusing definitions and unclear policy around different variations of MFA
2. Need for clarity, interoperability, and standardization amongst MFA variations
3. Support for the strongest forms of MFA, such as PKI and FIDO2
4. Reliance on self-enrollment
5. Lack of credential lifecycle management

Let’s discuss how Rublon, a leading MFA solution that protects your organization’s data and access to networks, servers, and applications, solves each of the preceding challenges.

MFA & IAM Developer and Vendor Challenge 1: Confusing definitions and unclear policy around different variations of MFA

The IAM challenges document from CISA and NSA notes that there is no clear or consistent definition of what constitutes multi-factor authentication (MFA) or its variations, such as two-factor authentication (2FA), 2-step verification, etc. This can cause confusion and inconsistency among developers, vendors, customers, and users.

To address this challenge, the document recommends that developers and vendors use clear and precise terminology when describing their MFA products and features. The document also suggests using the NIST SP 800-63B framework as a reference for defining MFA factors and levels.

Rublon MFA meets this recommendation by using clear and precise terminology when describing its MFA products and features. Rublon MFA also follows the NIST SP 800-63B framework for defining MFA factors and levels. For example, an administrator in the Rublon Admin Console can change the timeout according to either AAL2 or AAL3 requirements. In addition to that, we always try to use coherent definitions in our documentation and blog posts. On top of that, we published a series of blog posts that describe the meaning and differences behind each authentication type, such as MFA vs. 2FA and 2FA vs. 2SV. Last but not least, we often point out which authentication methods are the most secure.

MFA & IAM Developer and Vendor Challenge 2: Need for clarity, interoperability, and standardization amongst MFA variations

The IAM Developer and Vendor Challenges document mentions the lack of clarity, interoperability, and standardization amongst MFA variations. It is true that different vendors have different names for their MFA features, methods, and policies. But this is an accepted state of things considering these solutions might have meaningful differences. Besides, most vendors target particular requirements from the customer’s point of view. So, most requirements are described in a common language and do not map very well to technical classifications, such as those articulated by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63,4 Digital Identity Guidelines.

We have a separate page that lists all Authentication Methods available in our product. We also have dedicated pages for industries that mention the security regulations that Rublon complies with.

Rublon complies with NIST 800-63B, so it is often just the question of which authentication method the customer’s organization should use. Administrators can easily enable and disable authentication methods in the Admin Console. In case customers have any questions, they are welcome to contact the Rublon Support.

MFA & IAM Developer and Vendor Challenge 3: Support for the strongest forms of MFA, such as PKI and FIDO2

The Key IAM Challenges for Developers and Vendors document mentions that MFA solutions need to be clear about their security properties. It lists Authenticator Assurance Levels (AALs) as one way of classifying the relative strength of authenticators based on the security properties that they provide. Moreover, the publication mentions the need to make phishing-resistant MFA more ubiquitous. It points out that while many IAM vendors support public key infrastructure (PKI) and FIDO2 authentication, some do not. 

Rublon MFA supports FIDO2 security keys, allowing customers to secure their applications with cutting-edge phishing-resistant multi-factor authentication (MFA) compliant with NIST AAL3. Other forms of authentication based on PKI, such as Mobile Push, SMS Passcode, Email Link, and SMS Passcode, to name a few, are also available and can be disabled depending on the organization’s internal security policies.

MFA & IAM Developer and Vendor Challenge 4: Reliance on self-enrollment

The IAM Challenges for Developers and Vendors document argues that some types of MFA rely on user self-enrollment, which is a process where users register their own devices and authenticators without the involvement of an administrator. The text claims that this process may be vulnerable to certain types of attacks that can compromise user credentials, such as phishing, social engineering, or malware. It suggests that this process may not align with the business processes of some organizations, which may require more control and oversight over the enrollment of user devices and authenticators.

Rublon MFA solves this challenge by providing a secure and user-friendly self-enrollment process that minimizes the risk of credential compromise and supports the business needs of different organizations. It allows users to self-enroll their devices and authenticators in minutes, using a QR code. Rublon also allows administrators to optionally approve and verify user enrollments, as well as delete lost or stolen devices. Further, Rublon MFA integrates with existing identity providers and directories, such as Active Directory, LDAP, or FreeRADIUS, to ensure that user identities and credentials are consistent and up-to-date across different systems. Summing up, Rublon MFA allows administrators to control the enrollment process for users and devices using various methods such as email invitations, enrollment settings, and phone management. Administrators can also enforce policies such as allowed authentication methods and allow or disallow users to remember their devices.

MFA & IAM Developer and Vendor Challenge 5: Lack of credential lifecycle management

NSA and CISA’s IAM challenges document claims that the credential lifecycle management process is often lacking in available MFA solutions, especially for those that rely on user self-enrollment and one-time enrollment codes. The document suggests that these methods may not provide enough security and control for enterprises, as they may be susceptible to attacks or misalignment with business processes. The publication also implies that credential lifecycle management is important for ensuring the trustworthiness and validity of MFA credentials over time.

For the challenge of credential lifecycle management, Rublon MFA provides a centralized dashboard called Rublon Admin Console. The Admin Console allows administrators to manage the enrollment, activation, deactivation, and deletion of user devices and authenticators. Administrators can also set expiration dates for remembered devices and delete devices, effectively revoking access for lost or stolen devices. Users can also manage their own devices and authenticators through the Manage Authenticators view.

But There’s More

Rublon MFA is a powerful and flexible solution that solves many of the MFA & IAM developer and vendor challenges that we have discussed in this article. However, we also acknowledge that we cannot address all the possible scenarios and requirements that organizations may have. The NSA & CISA document mentions some challenges that Rublon has not solved yet (they’re on our roadmap!) or solves in a slightly different way.

For example, one of the challenges for SSO is integrating with legacy systems and applications that do not support modern authentication protocols or standards. Some organizations may have legacy systems and applications that are difficult and costly to upgrade or replace, and they may need to find a way to enable MFA for them without compromising security and usability. The Rublon Access Gateway’s SSO Portal only works with applications that support the SAML protocol. However, Rublon allows you to enable MFA on legacy desktop applications.

There are some other challenges we are aware of and working on solving. We are constantly improving our product and adding new features and capabilities to make Rublon the best MFA solution in the world. However, solving some of the challenges described in NSA and CISA’s IAM Developer and Vendor Challenges document requires a combined effort from all IAM vendors. We believe that by working together, we can overcome any challenge and achieve our common goal of enhancing security and usability for everyone, as well as arriving at uniform, clear, interoperable, and standardized solutions.

Conclusion

Rublon MFA is a cloud-based platform that provides strong, phishing-resistant, and user-friendly MFA and SSO capabilities for any application, device, or identity provider. Our solution overcomes the key IAM developer and vendor challenges identified by the NSA and CISA in their guidance. Rublon MFA also offers a secure, scalable, reliable, and compliant solution that meets the needs and expectations of customers of all sizes and industries. If you are looking for an IAM solution that solves most of the NSA and CISA IAM challenges, look no further than Rublon MFA.