The Defense Department is expanding secure methods of authentication beyond the traditional Common Access Card, giving users more alternative options to log into its systems when CAC access is “impractical or infeasible.”

A new memo, titled “Multi-Factor Authentication (MFA) for Unclassified & Secret DoD Networks,” lays out when users can access DoD resources without CAC and public key infrastructure (PKI). The directive also updates the list of approved authentication tools for different system impact levels and applications.

In addition, the new policy provides guidance on where some newer technologies, such as FIDO passkeys, can be used and how they should be protected. 

“This memorandum establishes DoD non-PKI MFA policy and identifies DoD-approved non-PKI MFAs based on use cases,” the document reads.

While the new memo builds on previous DoD guidance on authentication, earlier policies often did not clearly authorize specific login methods for particular use cases, leading to inconsistent implementation across the department.

Individuals in the early stages of the recruiting process, for example, may access limited DoD resources without a Common Access Card using basic login methods such as one-time passcodes sent by phone, email or text. As recruits move further through the process, they must be transitioned to stronger, DoD-approved multi-factor authentication before getting broader access to DoD resources.

For training environments, the department allows DoD employees, contractors and other partners without CAC to access training systems only after undergoing identity verification. Those users may authenticate using DoD-approved non-PKI multi-factor authentication — options such as one-time passcodes are permitted when users don’t have a smartphone. Access is limited to low-risk, non-mission-critical training environments.

Although the memo identifies 23 use cases, the list is expected to be a living document and will be updated as new use cases emerge.

Jeremy Grant, managing director of technology business strategy at Venable, said the memo provides much-needed clarity for authorizing officials.

“There are a lot of new authentication technologies that are emerging, and I continue to hear from both colleagues in government and the vendor community that it has not been clear which products can and cannot be used, and in what circumstances. In some cases, I have seen vendors claim they are FIPS 140 validated but they aren’t — or claim that their supply chain is secure, despite having notable Chinese content in their device. But it’s not always easy for a program or procurement official to know what claims are accurate. Having a smaller list of approved products will help components across the department know what they can buy,” Grant told Federal News Network.

DoD’s primary credential

The memo also clarifies what the Defense Department considers its primary credential — prior policies would go back and forth between defining DoD’s primary credential as DoD PKI or as CAC. 

“From my perspective, this was a welcome — and somewhat overdue — clarification. Smart cards like the CAC remain a very secure means of hardware-based authentication, but the CAC is also more than 25 years old and we’ve seen a burst of innovation in the authentication industry where there are other equally secure tools that should also be used across the department. Whether a PKI certificate is carried on a CAC or on an approved alternative like a YubiKey shouldn’t really matter; what matters is that it’s a FIPS 140 validated hardware token that can protect that certificate,” Grant said.

Policy lags push for phishing-resistant authentication

While the memo expands approved authentication options, Grant said it’s surprising the guidance stops short of requiring phishing-resistant authenticators and continues to allow the use of legacy technologies such as one-time passwords that the National Institute of Standards and Technology, Cybersecurity and Infrastructure Security Agency and Office of Management and Budget have flagged as increasingly susceptible to phishing attacks.

Both the House and Senate have been pressing the Defense Department to accelerate its adoption of phishing-resistant authentication — Congress acknowledged that the department has established a process for new multi-factor authentication technologies approval, but few approvals have successfully made it through. Now, the Defense Department is required to develop a strategy to “ensure that phishing-resistant authentication is used by all personnel of the DoD” and to provide a briefing to the House and Senate Armed Services committees by May 1, 2026.

The department is also required to ensure that legacy, phishable authenticators such as one-time passwords are retired by the end of fiscal 2027.

“I imagine this document will need an update in the next year to reflect that requirement,” Grant said.

The post DoD expands login options beyond CAC first appeared on Federal News Network.

© Federal News Network

Identity’s New Frontier: How CISOs Can Navigate the Complex Landscape of Modern Access Management The cybersecurity battlefield has shifted. No longer are perimeter defenses and traditional identity management sufficient to...

The post Innovator Spotlight: Oleria appeared first on Cyber Defense Magazine.

Ring, the video doorbell maker dubbed the “largest civilian surveillance network the U.S. has ever seen,” is rolling out new but long overdue security and privacy features. The Amazon-owned company’s reputation was bruised after a spate of account breaches in late 2019, in which hackers broke into Ring user accounts and harassed children in their own […]

Online shopping service Instacart says reused passwords are to blame for a recent spate of account breaches, which saw personal data belonging to hundreds of thousands of Instacart customers stolen and put up for sale on the dark web.

The company published a statement late on Thursday saying its investigation showed that Instacart “was not compromised or breached,” but pointed to credential stuffing, where hackers take lists of usernames and passwords stolen from other breached sites and brute-force their way into other accounts.

“In this instance, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to login to some Instacart accounts,” the statement reads.

The statement comes after BuzzFeed News reported that data on more than 270,000 user accounts was for sale on the dark web, including the account user’s name, address, the last four digits of their credit card, and their order histories from as recently as this week.

Instacart said that the stolen data represents a fraction of the “millions” of Instacart’s customers across the U.S. and Canada, a spokesperson told BuzzFeed News.

But who’s really to blame here: the customers for reusing passwords, or the company for not doing more to protect against password reuse?

Granted, it’s a bit of both. Any internet user should use a unique password on each website, and install a password manager to remember them for you wherever you go. That means if hackers make off with one of your passwords, they can’t break into all of your accounts. You should also enable two-factor authentication wherever possible to prevent hackers from breaking into your online accounts, even if they have your password. By sending a code to your phone — either by text message or an app — it adds a second layer of protection for your online accounts.

But Instacart cannot shift all the blame onto its users. Instacart still does not support two-factor authentication, which — if customers had enabled — would have prevented the account hacks to begin with. When we checked, there was no option to enable two-factor on an Instacart account, and no mention anywhere on Instacart’s site that it supports the security feature.

Data published by Google last year shows even the most basic two-factor can prevent the vast majority of automated credential stuffing attacks.

We asked the company if it plans to roll out two-factor to its users. When reached, Instacart spokesperson Lyndsey Grubbs would not comment on the record beyond pointing to Instacart’s already published statement.

Instacart claims security is a “top priority,” and that it has a “dedicated security team, as well as multiple layers of security measures, focused on protecting the integrity of all customer accounts and data.”

But without giving users basic security features like two-factor, Instacart users can barely protect their own accounts, let alone expect Instacart to do it for them.

Instacart blames reused passwords for account hacks, but customers are still without basic two-factor security by Zack Whittaker originally published on TechCrunch