The recent Internal Revenue Service data breach would have been mitigated or even thwarted altogether by identity authentication measures the Obama administration is requiring federal agencies to adopt by next April, said Ari Schwartz, a top White House cybersecurity official.
Last month, hackers likely backed by organized crime syndicates were able to nab personal information on 104,000 taxpayers through the agency’s “Get Transcript” application.
“The recent IRS fraud case may have been limited or may have even been prevented if we had relied on multi-factor authentication as set forth in the executive order,” said Schwartz, the senior director for cybersecurity on the National Security Council, during a Financial Services Roundtable event Wednesday.
President Obama last October signed an executive order that included a requirement that all federal agencies move to some form of multi-factor authentication for all digital accounts that access personal information.
That means in addition to a password, a user would need some other form of identification, such as a fingerprint or time-sensitive pin sent to a smartphone or email account.
Many federal agencies like the IRS ask for a password, then pose personal questions about a monthly mortgage or car payment, for instance, as an additional form of verification.
That process is widely seen as more vulnerable to hackers.
The digital crooks that swiped personal information on taxpayers were able to cull the correct answers to those additional questions from the large trove of data available on the dark Web after years of breaches across the commercial sector.
Schwartz backed the multi-factor authentication requirement as a potential workaround to the issue.
“If you look at the types of compromises that we’ve seen in federal agencies over the last few months, if this type of multi-factor authentication had been in place earlier this year, some of those compromises wouldn't have happened,” he said.
Federal agencies are on pace to hit their April deadline, he added.
It’s part of a broader White House initiative to kill the password. Through the National Strategy for Trusted Identities in Cyberspace (NSTIC), the administration is funding a number of private-sector, password alternative pilot projects using mobile devices, digital rings, even bracelets.
The White House, Schwartz said, is “promoting a lot different kinds of technology.”