Notifications
Clear all
Topic starter
22/06/2026 4:58 pm
TL;DR: Federal agencies and contractors are converging on phishing-resistant authentication by default, with PIV/CAC and FIDO2/WebAuthn as the two ceremonies that meet the bar and derived credentials filling mobile and BYOD gaps, according to Scramble ID. The architecture now has to satisfy OMB M-22-09, NIST SP 800-63-4, FedRAMP, CJIS, and state mandates without leaving legacy systems behind.
NHIMG editorial — based on content published by Scramble ID: Authentication for Government and Public Sector
Questions worth separating out
Q: How should government teams implement phishing-resistant authentication across mixed environments?
A: Use different ceremonies for different trust contexts.
Q: Why do legacy systems complicate phishing-resistant MFA programmes?
A: Legacy systems often cannot consume modern federation, device binding, or cryptographic ceremonies cleanly, so teams end up preserving weaker login paths to avoid breaking operations.
Q: What breaks when machine-to-machine access still relies on shared secrets?
A: Shared secrets are replayable, hard to govern across boundaries, and difficult to prove during audit.
Practitioner guidance
- Map every access path to an approved ceremony Classify workforce, contractor, partner, citizen, and machine-to-machine paths separately, then assign PIV/CAC, FIDO2/WebAuthn, derived PIV, or sender-constrained tokens based on assurance and device context.
- Close the mobile and BYOD assurance gap Use derived PIV or FIDO2/WebAuthn where smart-card readers are impractical, and require device binding plus posture checks so assurance does not fall away on unmanaged endpoints.
- Replace shared secrets on service paths Move inter-service authentication to mTLS and sender-constrained tokens, then inventory any remaining shared secrets in APIs, cloud workloads, and cross-boundary integrations.
What's in the full article
Scramble ID's full report covers the operational detail this post intentionally leaves for the source:
- Step-by-step authentication patterns for federal employees on managed workstations, mobile devices, and BYOD endpoints.
- Concrete channel-by-channel guidance for contractors, partner federation, and citizen-facing services that need phishing-resistant access.
- Machine-to-machine patterns using mTLS and sender-constrained tokens for cross-boundary service identity.
- Compliance mapping across OMB M-22-09, NIST SP 800-63-4, FedRAMP, CJIS, IRS Pub. 1075, and state mandates.
👉 Read Scramble ID's authentication guide for government and public sector →
Phishing-resistant authentication for government access: what changes now?
Explore further
22/06/2026 5:10 pm
Phishing resistance is now an identity governance baseline, not an advanced option. OMB M-22-09 effectively resets the expected bar for federal authentication, and the article shows that PIV/CAC and FIDO2/WebAuthn are the two ceremonies that satisfy it. That shifts the debate from whether to adopt phishing-resistant MFA to how to govern which access paths can use which ceremony. Practitioners should treat this as a policy and architecture decision, not a tactical login change.
A few things that frame the scale:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, according to The 2024 Non-Human Identity Security Report.
A question worth separating out:
Q: Who is accountable when phishing-resistant authentication is required but not implemented?
A: Accountability usually sits with the identity, platform, and system owners together, because authentication is a shared control surface. In government programmes, the compliance obligation extends to the agency, its contractors, and any federated service provider that handles the access path. The programme owner must ensure the assurance level matches the use case.
👉 Read our full editorial: Phishing-resistant authentication is becoming the federal default
