Phishing-Resistant MFA - OMB M 22-09


To address the US federal requirements of OMB M-22-09, phishing-resistant MFA is a requirement for organizations moving towards a zero trust architecture (ZTA). OMB M-22-09 identifies two types of phishing-resistant protocols: smart card (PIV) and FIDO2/WebAuthn. As attacks have evolved to bypass traditional MFA solutions, organizations and government agencies are mandating the use of modern, phishing-resistant MFA. With OMB M-22-09, the US government is requiring all agencies to use phishing-resistant MFA and strongly encourages the move to zero trust architecture (ZTA).


The YubiKey supports both types of phishing-resistant authentication and provides the most comprehensive authenticator solution available to help agencies and organizations protect their environments. Using a single multi-protocol device that bridges both legacy and modern applications/services increases security, usability and ultimately achieves compliance.


What is phishing-resistant MFA?

It is important to define what phishing-resistant MFA is and for customers to understand the authentication options available to them. 


Phishing-resistant MFA refers to an authentication process that is immune to attackers intercepting the authentication session or tricking the user into approving an authentication session where the user cannot know or verify who the requester is. The user and service are able verify the authenticity of each other before the authentication process can complete. There are several components that help define what  phishing-resistant MFA is.


The following sections discuss the various components that should be considered.


Establish strong binding between authenticator and identity

To ensure there is high confidence that each party knows who each other is, an initial cryptographic registration process needs to occur that establishes a trust relationship. Initial registration can include an identity proofing process and should also include registering a user’s authenticator to establish the strong binding. In a legacy MFA approach, this initial registration would happen by sharing a secret such as a one-time passcode or SMS text code out of band with the idea that only the user and the authentication service would know the shared secret. However, this method is susceptible to phishing as the shared secret could easily be obtained by an attacker.


For the US federal government, PIV issuance includes an identity proofing process and includes registering a user’s authenticator (in most cases a PIV or CAC). To address the known weakness of a shared secret, phishing-resistant MFA leverages public/private key cryptography to establish a trust relationship between the user and relying parties. This ensures that future authentication sessions are occurring only between the authenticator that is registered and the relying party. The private key is the most important component in the trust relationship making it vitally important to protect the private key at all times.


Eliminate shared secrets

Once a trust relationship is established, the authentication mechanism must be based on public/private key cryptography that is unique for every trust relationship. The registration or authentication process should not share secrets, but rely on an asymmetric cryptographic ceremony. Without the private key, the authentication ceremony cannot be performed. The private key must be stored in hardware that can be attested and not be exportable to be truly secure.


Know the requesting party

In a phishable authentication scenario, attackers can effectively trick a person into sharing their sign-in credentials, or less-secure authentication factors such as SMS codes or OTP. Additionally, the attacker uses readily available techniques like building fake websites that replicate sites users are familiar with, social engineering or sending a large number of push notification requests with the goal to trick or overwhelm users to accept the authentication request. It is critical to use phishing-resistant MFA methods to address this issue by only responding to valid requests by known trusted parties that don't inconvenience users. Savvy attackers may attempt to inconvenience users to the point of frustration. When a user is frustrated, they may forgo security measures that let attackers compromise MFA.


User Intent

Even though we don’t want to frustrate users, the users still need to be involved to authorize a login action. The user should clearly understand and authorize the authentication event. They need to be fully aware of what they are consenting to do. To not confuse the user, user authorization requests should only exist as part of an access request that the user initiated. Having users receive random and incessant SMS or Push notification requests can lead users into approving access that they are not aware of. The user action when coupled with public/private key cryptography also severely limits the rate of attacks and significantly reduces the attack surface.



With phishing-resistant MFA explained, you can more easily understand how different MFA options may meet or fall short of the phishing-resistant criteria. M-22-09 specifically states, “agency systems must discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.” 


From the above set of phishing-resistant MFA criteria, two authentication standards have become the industry standard smart cards (PIV) and FIDO2/WebAuthn. Cryptography based on Public Key Infrastructure, where private key material resides within a hardware device, is the cornerstone of secure authentication systems. Both authentication standards meet the guidelines as described in OMB M-22-09 and provide phishing-resistant options. The YubiKey supports both the smart card (PIV) and FIDO2/WebAuthn protocols to deliver phishing-resistant MFA.


Considerations for implementation in Federal Government

Implementation of phishing-resistant MFA for the federal government comes with additional criteria that needs to be considered and addressed. 


To meet the minimum US federal government requirements, the following requirements must be met:


  • A FIPS validated authenticator must be listed under CMVP.
  • OMB M-19-17 and NIST SP800-157 require that PIV credentials need to be properly issued and managed as a primary or derived credential.
  • OMB M-22-09 specifies PIV and WebAuthn as the phishing-resistant protocols to use. 
  • Solutions are generally available and are fully supported by the vendor.

Federal Information Processing Standard (FIPS)

It is also important to note that your deployment could be subject to additional requirements. As a case in point, if you are a US government agency or work with the government, you are required to use FIPS validated authenticators. The YubiKey 5 FIPS Series is FIPS 140-2 validated (Overall Level 1 and Level 2, Physical Security Level 3) enabling Yubico customers to meet the highest authenticator assurance level 3 (AAL3) of NIST SP800-63B guidance, which in turn will satisfy the authenticator requirements for OMB M-22-09 in a zero trust solution.


Authenticator Assurance Levels (AAL’s)

M-22-09’s MFA directives rely on NIST Special Publication 800-63B requirements. NIST SP 800-63B has three authentication levels with the middle and highest levels requiring phishing-resistant MFA. Most US federal agencies will require NIST AAL2 or AAL3, as AAL1 does not require any form of MFA. Additionally, the MFA authenticator must be FIPS 140 validated to achieve any AAL, proven by being listed on the Cryptographic Module Validation Program site. FIPS 140 validation indicates that the authenticator has met a set of specific standards to protect the cryptographic module appropriate for the Federal government. Authenticators that meet AAL3 must meet additional FIPS 140 requirements including physical security level 3. The best way to ensure you are leveraging a FIPS validated authenticator is to review the Cryptographic Module Validation Program site and look for the appropriate certificate such as that available for the YubiKey 5 FIPS Series.