But come on, let's be real here. While the international joint publication, "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and-Default," doesn't explicitly mention FIDO, it's pretty obvious that they have FIDO in mind when they talk about creating secure products by design and default.
I mean, just take a look at this quote: "If a manufacturer fails to meet CISA's Cybersecurity Performance Goals (CPGs) -- such as not requiring phishing-resistant multi-factor authentication for all employees -- then they cannot be seen as delivering Secure-by-Design products." If that doesn't scream FIDO, I don't know what does. And let's not forget that the CPGs from CISA specifically call for "hardware-based, phishing resistant MFAs to be used."
And if you still need more convincing, the Secure-by-Default section even references the guidance from the U.S. and Netherlands on phishing resistant MFA. They both agree that products should eliminate default passwords, make MFA opt-out [1] instead of opt-in for privileged users, and implement single sign-on technology using modern open standards like SAML or OIDC [2].
So, if governments from all over the world are considering FIDO as more than just an option for MFA, it might be time for your organization to seriously start considering it too.
[1] We would recommend making it mandatory! One of the largest service providers in the U.S. did this recently, ensuring all 600 of their Administrators were equipped with NIST AAL-3 compliant Security Keys using StrongKey's FIDO Certified Server (SKFS) to strongly authenticate into their Citrix Gateway environment.
[2] However, you might want to hear StrongKey's CTO, Arshad Noor, explain that unless you are using cryptographic hardware modules to digitally sign SSO tokens, enabling FIDO into legacy applications are a smarter option! It simplifies application architecture, reduces the total cost of ownership (TCO) of business applications and eliminates the need for external SSO solutions while increasing security! You can hear Noor expand on this topic (among others) at Authenticate 2023 this October.
