Identity threats are rising across federal cybersecurity, highlighting the need for agencies to evolve beyond legacy multifactor authentication (MFA) to minimize cyberattacks.
According to the Cybersecurity and Infrastructure Security Agency (CISA), more than 90 percent of successful cyberattacks start with a phishing scheme. These identity-driven attacks continue to challenge traditional, perimeter-based defenses and are prompting federal agencies to adopt phishing-resistant MFA as a baseline.
As missions become more distributed, agencies must enable trusted access wherever work happens without weakening assurance. To support these zero-trust access strategies, Samsung partners with federal agencies to enable an identity-first posture and provide a baseline platform for Zero Trust security architectures.
The foundation of zero trust
Federal Zero Trust guidance emphasizes that agencies should initially focus on identity management as the central component of any zero-trust policy decision. In fact, the Office of Management and Budget’s M-22-09 mandates continuous verification of users, devices and sessions across all access requests. Similarly, NIST Special Publication 800-63-3 defines how digital credentials must be proven, authenticated and managed across their lifecycle. To achieve this level of identity confidence through continuous verification, agencies must first ensure that the initial starting point for every access decision is backed by high-assurance, phishing-resistant authentication.
Beyond traditional MFA
Modern attacks often focus on users over the infrastructure itself. Phishing enables bad actors to bypass traditional controls completely by masquerading as an internal member. Once an adversary can successfully impersonate a user, they leverage valid permissions to access corporate data without triggering traditional security controls. This makes credential compromise the most efficient path into federal systems.
MFA has long been a cornerstone of identity across modern IT environments. Legacy methods like SMS codes, voice calls, one-time passcodes and push notifications improve access control but remain vulnerable to advanced phishing and interception.
Federal guidance reflects this reality. National Institute of Standards and Technology (NIST) Special Publication 800-63-3 restricts weaker authentication methods, while OMB M-22-09 directs agencies to move away from phishing-prone approaches. Additionally, CISA’s recently updated Mobile Communications Best Practice Guide identifies phishing-resistant MFA as a key control.
Together, these standards reinforce phishing-resistant MFA as a core pillar of Zero Trust. In this model, identity shifts from something that can be intercepted and replayed to something that must be physically possessed and cryptographically proven.
Identity and cryptography
Phishing-resistant authentication is often rooted in public key infrastructure (PKI). Instead of entering credentials, the device uses a secure digital key to prove identity, which can be verified by the receiving party. This ensures credentials cannot be replayed and ties access directly to a specific device.
Federal agencies are already familiar with this PKI-based MFA model. PIV (Personal Identity Verification) cards and CAC (Common Access Cards) are widely adopted to establish government-issued identities. They store cryptographic certificates used for authentication and enable digital signatures to ensure access is tied to a vetted individual. Every government employee and many integrators already use these MFA methods to access protected systems from their computers.
Extending identity to the distributed environments
As missions become more mobile, secure access cannot be limited to desktops alone. Identity must extend securely across office, home, or field environments without weakening assurance.
While CAC and PIV provide a strong foundation, they were designed for fixed environments and must evolve to meet the demands of distributed missions.
Mobile devices are uniquely positioned to support this shift. Samsung Knox provides a hardware-backed security foundation from the chip level up, enabling device attestation, secure key storage and defense-grade security. By expanding support for phishing-resistant authentication, Samsung devices enable agencies to extend identity to mobile environments without introducing additional complexity or weakening assurance.
Identity forward
Devices themselves now have the power to prove identity, and their role will continue to expand across government. This creates a layered approach to identity assurance that combines device trust and user verification.
The future of cybersecurity will revolve around identity verification, with a strong shift toward phishing-resistant MFA. This evolution will build on high-assurance methods for verifying both devices and their users.
Looking ahead, strong identity assurance is essential to unlocking the full productivity potential enabled by widespread adoption of smartphones. The challenge will be scaling it across mobile, remote and mission environments. Achieving this will require solutions that integrate seamlessly with federal infrastructure. Rather than replacing CAC and PIV, this evolution will extend their trust model to mobile environments by leveraging hardware-backed security embedded right within the device.
The future of identity is device-bound, high-assurance and built for mission mobility.
To learn more about Samsung’s approach to identity-first mobility, click here.
