CISA Urges Organizations to Implement Phishing-Resistant MFA
By deploying phishing-resistant multi-factor authentication (MFA) and number matching in MFA applications, organisations may defend themselves against phishing and other attacks, according to recommendations provided by the US Cybersecurity and Infrastructure Security Agency (CISA).
MFA requires users to submit a combination of two or more separate authenticators to prove their identity. MFA is a security feature designed to make it more difficult for attackers to access networks and systems using compromised login credentials.
The CISA recommends that all enterprises adopt MFA for their users and services, including email, financial, and file-sharing accounts, in order to lessen the risk of unwanted access through compromised credentials.
“CISA strongly urges all organizations to implement phishing-resistant MFA as part of applying Zero Trust principles. While any form of MFA is better than no MFA and will reduce an organization’s attack surface, phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort,” CISA notes in its Implementing Phishing-Resistant MFA (PDF) guide.
According to the agency, some MFA methods are susceptible to various types of cyberattacks, such as phishing (attacker-controlled websites may ask for the six-digit code from an authenticator app), “push bombing,” in which a user is inundated with push notifications until they click “accept,” and SIM swapping (in which attackers deceive a phone carrier into transferring the victim’s phone number to an attacker-controlled SIM card).
In order to gain authentication codes delivered by text (SMS) or voice messages, some attackers may use Signaling System 7 (SS7) protocol flaws that affect the communications infrastructure.
Organizations are encouraged to deploy FIDO/WebAuthn or public key infrastructure (PKI)-based authentication, which are phishing-resistant and unaffected by the other forms of attacks, to reduce the dangers posed by such assaults.
CISA claims that app-based authentication methods like one-time passwords (OTP), mobile push notifications with number matching, and token-based OTP are resistant to push bombing but vulnerable to phishing; mobile app push notifications without number matching are susceptible to user error and push bombing; and SMS and voice MFA are susceptible to phishing, SS7, and SIM-swap attacks.
The group advises that all enterprises establish a type of MFA that is resistant to phishing and that they identify any systems that do not support MFA and switch to those that do, such as MFA applications with number matching.
According to CISA’s Implementing Number Matching in MFA Applications (PDF) handbook, the use of number matching should minimise MFA fatigue, in which a user accepts the login attempt because they are angry or bewildered by the numerous prompts they have to respond to quickly. In May, Cisco’s systems were compromised using this method.
“Cyber threat actors who have obtained a user’s password know they can enter it into an identity platform that uses mobile push-notification-based MFA to generate hundreds of prompts on the user’s device over a short period of time,” CISA explains.
By inputting the application numbers provided by the identity platform, the user must confirm the authentication request in order to match numbers. According to CISA, this means that in order to accept requests, the user must have access to the login screen, which should deter prompt spam.