An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Oct. 4, 2023

NSA and ESF Partners Release Report on MFA and SSO Challenges

FORT MEADE, Md. – The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and industry partners have released a cybersecurity technical report (CTR), “Developer and Vendor Challenges to Identity and Access Management,” to provide developers and vendors of multi-factor authentication (MFA) and single sign-on (SSO) technologies with actionable recommendations to address key challenges in their products.
The report was developed by an NSA and CISA-led working panel through the Enduring Security Framework (ESF), a public-private cross-sector working group that provides cybersecurity guidance addressing high priority threats to the nation’s critical infrastructure.
The co-authors observe that the increase of multi-computer use has led to vulnerabilities in access management and identity verification, meaning risk for computer systems and information - one of the most critical resources for any organization. Cyber criminals are continuing to refine methods and approaches as the cyber landscape evolves. A significant portion of breaches occur from misusing or manipulating digital identities, including stolen credentials and phishing, or by exploiting vulnerabilities.
Following these general observations, the report proceeds in greater detail. User names and passwords are no longer enough to keep systems secure. Sophisticated phishing attacks even have the ability bypass basic MFA forms, because not all forms of MFA offer the same level of protection. For example, malicious actors can intercept one-time codes in real time and then use them to authenticate identity on systems.
Specifically, the CTR outlines the following challenges:

  • Ambiguity with MFA terminology

  • Lack of clarity on security properties

  • Reliance of MFA on self-enrollment by the user and “one time enrollment code flow”

  • Tradeoff between SSO functionality and complexity

  • Improvements necessary to standards throughout the identity ecosystem

  • Knowledge base for the integration between existing architectures and legacy applications

  • SSO capabilities often bundled with high-end enterprise features making them inaccessible to small and medium businesses

The guidance details each of these challenges and provides recommendations for developers, vendors, and security professionals to help better protect their organizations and partners.
Read the full report now.
Read the related March 2023 ESF release, “Recommended Best Practices for Administrators – Identity and Access Management.”
Visit our full library for more cybersecurity information and technical guidance.

NSA Media Relations