Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

CISA Urges Organizations to Implement Phishing-Resistant MFA

The US Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on how organizations can protect against phishing and other threats by implementing phishing-resistant multi-factor authentication (MFA) and number matching in MFA applications.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on how organizations can protect against phishing and other threats by implementing phishing-resistant multi-factor authentication (MFA) and number matching in MFA applications.

A security control meant to make it more difficult for attackers to access networks and systems using compromised login credentials, MFA requires users to present a combination of two or more different authenticators to verify their identity.

According to CISA, implementing MFA is an essential practice to reduce the threat of unauthorized access via compromised credentials, and all organizations should adopt it for their users and services, including email, financial, and file sharing accounts.

“CISA strongly urges all organizations to implement phishing-resistant MFA as part of applying Zero Trust principles. While any form of MFA is better than no MFA and will reduce an organization’s attack surface, phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort,” CISA notes in its Implementing Phishing-Resistant MFA (PDF) guide.

The agency notes that some forms of MFA are vulnerable to various types of cyberattacks, including phishing (attacker-controlled websites may request the six-digit code from an authenticator app), ‘push bombing’ (user is bombarded with push notifications until they hit the ‘accept’ button), and SIM swapping (the attackers trick a phone carrier to transfer the victim’s phone number to an attacker-controlled SIM card).

Additionally, some attackers may exploit Signaling System 7 (SS7) protocol vulnerabilities impacting the communications infrastructure to obtain authentication codes sent via text (SMS) or voice messages.

To mitigate the risks posed by such attacks, organizations are advised to implement FIDO/WebAuthn or public key infrastructure (PKI)-based authentication, which are phishing-resistant and unaffected by the other types of attacks.

According to CISA, app-based authentication such as one-time password (OTP), mobile push notification with number matching, and token-based OTP are resistant to push bombing, but vulnerable to phishing; mobile app push notification without number matching is vulnerable to push bombing and user error; and SMS and voice MFA is prone to phishing, SS7, and SIM-swap attacks.

The agency recommends that all organizations implement a form of phishing-resistant MFA and that they identify systems that do not support MFA and migrate to systems that do support the extra protection, such as MFA applications with number matching.

CISA’s Implementing Number Matching in MFA Applications (PDF) guide explains that the use of number matching should prevent MFA fatigue where, annoyed or confused by the many prompts received in a short period of time, a user may accept the login attempt. The technique was used in May to compromise Cisco’s systems.

“Cyber threat actors who have obtained a user’s password know they can enter it into an identity platform that uses mobile push-notification-based MFA to generate hundreds of prompts on the user’s device over a short period of time,” CISA explains.

Number matching requires the user to approve the authentication request by entering into their application numbers provided by the identity platform. This means that the user must have access to the login screen to approve requests, which should also discourage prompt spam, CISA says.

Related: High-Profile Hacks Show Effectiveness of MFA Fatigue Attacks

Related: Multi-Factor Authentication Bypass Led to Box Account Takeover

Related: Reality Check on the Demise of Multi-Factor Authentication

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.