“Phishing-resistant MFA is an immediate priority for enterprises and is now a specific requirement for the U.S. government,” said Andre Durand, CEO and founder of Ping Identity. “By incorporating enterprise-grade federation and access controls into this joint solution, organizations can easily use Derived FIDO2 Credentials to enhance the security of virtually any individual or asset — regardless of location.”
The standards-based solution works off-the-shelf with no custom coding required, including:
- Yubico‘s YubiKey 5 Series and YubiKey 5 FIPS Series: phishing-resistant, hardware-based authentication security keys that support FIDO2
- EntryPoint‘s credential management system of identity proofing and binding capabilities
- Ping Identity‘s authentication authority with federated identity and centralized identity management and policy enforcement
The solution allows organizations to establish and prove organizational attestation of FIDO2 hardware tokens, allowing them to better protect themselves against multi-factor authentication (MFA) exploits.
By enabling organizational attestation with FIDO2 security keys, the solution applies the Zero Trust concept of “trust nothing, verify everything” to FIDO2-based MFA. This minimizes the risk of cyber attackers using outside credentials to penetrate a business network — a common vulnerability known to be exploited by nation-state threat actors.
“Proof-of-possession isn’t enough,” said Eric Hildre, president of EntryPoint, Inc . “With the addition of our identity binding capabilities, organizations can now confirm that the Derived FIDO2 Credential is in use by the intended user and not a malicious actor.”
“Recently, OMB Memo M-22-09 was released citing FIDO2 and WebAuthn, as well as PIV, as approved phishing-resistant credentials that meet the EO requirements,” said Jeff Frederick, Director, Solutions Engineering at Yubico. “This partnership supports these government regulations and enables agencies to trust and verify that the FIDO2 security keys in their environment could only have come from their authorized supply chain, and nowhere else.”