CISA Urges Organizations to Implement Phishing-Resistant MFA

The US Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on how organizations can protect against phishing and other threats by implementing phishing-resistant multi-factor authentication (MFA) and number matching in MFA applications.

A security control meant to make it more difficult for attackers to access networks and systems using compromised login credentials, MFA requires users to present a combination of two or more different authenticators to verify their identity.

According to CISA, implementing MFA is an essential practice to reduce the threat of unauthorized access via compromised credentials, and all organizations should adopt it for their users and services, including email, financial, and file sharing accounts.

“CISA strongly urges all organizations to implement phishing-resistant MFA as part of applying Zero Trust principles. While any form of MFA is better than no MFA and will reduce an organization’s attack surface, phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort,” CISA notes in its Implementing Phishing-Resistant MFA (PDF) guide.

The agency notes that some forms of MFA are vulnerable to various types of cyberattacks, including phishing (attacker-controlled websites may request the six-digit code from an authenticator app), ‘push bombing’ (user is bombarded with push notifications until they hit the ‘accept’ button), and SIM swapping (the attackers trick a phone carrier to transfer the victim’s phone number to an attacker-controlled SIM card).

Additionally, some attackers may exploit Signaling System 7 (SS7) protocol vulnerabilities impacting the communications infrastructure to obtain authentication codes sent via text (SMS) or voice messages.

To mitigate the risks posed by such attacks, organizations are advised to implement FIDO/WebAuthn or public key infrastructure (PKI)-based authentication, which are phishing-resistant and unaffected by the other types of attacks.

According to CISA, app-based authentication such as one-time password (OTP), mobile push notification with number matching, and token-based OTP are resistant to push bombing, but vulnerable to phishing; mobile app push notification without number matching is vulnerable to push bombing and user error; and SMS and voice MFA is prone to phishing, SS7, and SIM-swap attacks.

The agency recommends that all organizations implement a form of phishing-resistant MFA and that they identify systems that do not support MFA and migrate to systems that do support the extra protection, such as MFA applications with number matching.

CISA’s Implementing Number Matching in MFA Applications (PDF) guide explains that the use of number matching should prevent MFA fatigue where, annoyed or confused by the many prompts received in a short period of time, a user may accept the login attempt. The technique was used in May to compromise Cisco’s systems.

“Cyber threat actors who have obtained a user’s password know they can enter it into an identity platform that uses mobile push-notification-based MFA to generate hundreds of prompts on the user’s device over a short period of time,” CISA explains.

Number matching requires the user to approve the authentication request by entering into their application numbers provided by the identity platform. This means that the user must have access to the login screen to approve requests, which should also discourage prompt spam, CISA says.

Related: High-Profile Hacks Show Effectiveness of MFA Fatigue Attacks

Related: Multi-Factor Authentication Bypass Led to Box Account Takeover

Related: Reality Check on the Demise of Multi-Factor Authentication