Three SaaS products live · OpsTicket · Winrove · OnboardIQ·SAM.gov UEI PR9KWJPM4JU9 · CAGE 91CE1
IT Custom SolutionFour Practices, One Firm · Est. MMXXI
§ SAM.gov UEI · PR9KWJPM4JU9§ CAGE · 91CE1§ NYC MBE · MWCERT2022-353

Rolling Out Phishing-Resistant MFA Across a Public-Sector Workforce: An Operational Playbook

CISA's 2023 data shows credential phishing caused 90% of federal breaches. Here is how agencies deploy phishing-resistant MFA without halting operations.

The Credential Problem Is Not Theoretical

In fiscal year 2023, CISA reported that compromised credentials remained the leading initial access vector in federal civilian agency incidents. Standard push-notification MFA, the kind most agencies deployed after the 2021 Executive Order on Improving the Nation's Cybersecurity, does not stop adversary-in-the-middle (AiTM) attacks or MFA fatigue campaigns. Attackers have adapted. The federal government's response is phishing-resistant MFA, specifically FIDO2/WebAuthn hardware security keys and PIV/CAC smart cards, both of which cryptographically bind authentication to a specific origin and cannot be intercepted by a proxy.

This post walks through the operational sequence for rolling out phishing-resistant MFA across a public-sector workforce: scoping, procurement, enrollment, exception handling, and sustainment. The same framework applies to state and local government agencies and to commercial organizations operating under CMMC or FedRAMP requirements.

Step 1: Scope Before You Procure

The single most common rollout failure is buying hardware tokens before finishing an identity inventory. Before issuing a single FIDO2 key, complete three scoping tasks.

  • Identity inventory: Export every account from your identity provider (Azure AD, Okta, or on-premises Active Directory). Separate human accounts from service accounts. Service accounts cannot use hardware tokens and require a separate remediation path, typically certificate-based authentication or managed identities.
  • Application compatibility audit: Map each application to its authentication protocol. FIDO2 requires a browser-based flow; legacy apps using RADIUS, LDAP, or NTLM cannot accept hardware keys directly. These need a gateway or proxy layer, or they stay on a compensating control until modernized.
  • Workforce segmentation: Classify users by role and physical situation. Office-based staff can use USB-A or USB-C security keys. Remote workers need keys with NFC for mobile devices. Field personnel with shared workstations need a different enrollment model entirely.

Document the output as a phishing-resistant MFA readiness matrix. Every row is a user population or application; every column is a readiness factor. This matrix drives procurement quantities, timeline, and exception policy.

Step 2: Procurement and Key Selection

FIDO2 hardware keys from vendors on the FIDO Alliance's certified product list meet the baseline. For federal use, verify that the key is listed on CISA's approved authenticator guidance and that it supports both FIDO2 and PIV if your agency uses PIV-integrated workflows. Common choices include the YubiKey 5 series (multi-protocol, PIV-capable) and the Google Titan key (FIDO2 only, lower cost).

Order two keys per user. One is the primary; one is the backup registered at enrollment. Agencies that skip the backup key create a guaranteed support surge when primary keys are lost. Budget for 10 to 15 percent attrition annually for lost or damaged keys based on published federal IT asset loss rates.

Step 3: Pilot Cohort and Enrollment Process

Run a 30-day pilot with 50 to 100 volunteers drawn from IT staff and power users. The pilot surfaces three things: enrollment friction, help desk call patterns, and application gaps your compatibility audit missed.

Enrollment itself has a specific sequence that must be enforced consistently:

  1. Verify the user's identity in person or via a video identity proofing session that meets NIST SP 800-63A IAL2 requirements. Do not allow self-service enrollment without identity proofing; that recreates the original vulnerability.
  2. Register both keys (primary and backup) in a single session. The user touches the key to confirm presence; the identity provider stores the credential.
  3. Immediately disable legacy authenticators (SMS OTP, push notification) for that account. Leaving legacy methods active as a fallback negates phishing resistance.
  4. Issue a printed recovery code stored in a sealed envelope in the user's personnel file, or use an agency-managed hardware-based recovery process. Do not use email or SMS for account recovery.

After the pilot, analyze help desk tickets by category. Typical issues are: key not recognized (driver or USB port problem), application not prompting for key (compatibility gap), and user confusion about PIN versus biometric unlock. Fix the top three issues before broad rollout.

Step 4: Phased Agency-Wide Rollout

Sequence the rollout by risk tier, not by organizational unit. High-privilege accounts (domain admins, system owners, contracting officers with system access) go first regardless of which department they sit in. Privileged accounts represent the highest blast radius if compromised; they also tend to be technically sophisticated users who generate fewer support tickets.

A practical three-phase schedule for a 2,000-person agency:

  • Phase 1 (weeks 1 to 6): Privileged and high-sensitivity accounts, approximately 200 users. Enforce phishing-resistant MFA at the identity provider policy level for this group.
  • Phase 2 (weeks 7 to 16): General workforce with compatible applications, approximately 1,400 users. Run enrollment in cohorts of 100 to 150 per week through a scheduled enrollment station or video session.
  • Phase 3 (weeks 17 to 24): Remaining users, legacy application remediation, and exception adjudication.

Communicate the schedule to supervisors four weeks before each cohort's enrollment date. Users who miss their enrollment window need a makeup process, not an indefinite extension.

Step 5: Exception Handling Without Creating Loopholes

Some users will have legitimate barriers: medical conditions that prevent touching a key, roles with no compatible device, or temporary situations like a lost key in transit. Each exception must be documented, time-bounded, and approved by the ISSO or equivalent.

Acceptable temporary compensating controls include: certificate-based authentication via PIV if the user has a smart card, or a supervised session on an agency-managed device with enhanced logging. SMS OTP and push notification are not acceptable compensating controls under OMB M-22-09 for federal agencies. State and local agencies should apply the same standard.

Set a maximum exception duration of 30 days with a mandatory review. Exceptions that persist beyond 90 days without resolution should trigger an escalation to the agency CISO. Exceptions that accumulate without review are how phishing-resistant MFA programs quietly fail.

Step 6: Sustainment and Metrics

A rollout is not complete at 100 percent enrollment. Sustainment requires three ongoing activities.

  • Monthly authentication telemetry review: Confirm that legacy authenticator methods show zero successful authentications for enrolled users. Any legacy auth success for an enrolled account is an incident, not a configuration glitch.
  • Key lifecycle management: Track issued keys in your IT asset management system. When a user offboards, revoke the credential in the identity provider and recover the physical key. Keys not recovered should be treated as lost and the credential revoked immediately.
  • Annual compatibility reassessment: Applications change. Reassess the compatibility matrix every 12 months and accelerate modernization for applications still on compensating controls.

Practical Takeaway

Phishing-resistant MFA rollouts fail for operational reasons, not technical ones: skipped identity proofing, legacy fallback methods left active, no backup key at enrollment, and exceptions that never close. Fix those four failure modes and the technical implementation is straightforward. Start with your readiness matrix, enforce a clean enrollment sequence, and treat every open exception as a tracked risk item with a deadline.

If your agency or organization is working through MFA modernization or broader identity security planning, our Consulting and AI Advisory practice can help you build a structured approach that fits your compliance requirements and workforce constraints. You can also reach us directly through our contact page to discuss your specific situation.

#phishing-resistant-mfa#fido2#federal-cybersecurity#identity-security#omb-m-22-09#public-sector-it
§ ShareX / TwitterLinkedIn
§ Need a quote?

Tell us about the work.

IT Custom Solution delivers cybersecurity, cloud, managed IT, and custom software for federal, state, and local agencies.

Analytics cookies? Details: cookies policy or privacy policy.