CISA recommendations on providing phishing-resistant authentication

David Strom 9 Nov 2022

CISA has two noteworthy considerations in developing the best MFA strategy.

The US Cybersecurity and Infrastructure Security Agency (CISA) has recently published a fact sheet on implementing phishing-resistant multi-factor authentication (MFA). The publication is in response to a growing number of cyberattacks that leverage poor MFA methods. “Not all forms of MFA are equally secure. Some forms are vulnerable to phishing, push bombing attacks, exploitation of Signaling System 7 (SS7) protocol vulnerabilities, or SIM swap attacks,” the agency writes. 

Some of these attack methods have made the news. With push bombing (also called MFA fatigue, and we’ll soon explain why this is), bad actors bombard a user with dozens of push notifications until they press the “Accept” button, thereby granting the actor access to the network. 

This is what happened recently with a hack on Uber’s network. These types of attacks are cited by CISA for the lack of any number matching, and make it easier for users to open the notification message and just accept the MFA prompt. Since there is no additional step between receiving and accepting the prompt, attackers have been attracted to this method for their phishing lures. With number matching, a user must enter a time-sensitive sequence of numbers from their identity platform (such as Azure Active Directory or a single sign-in system) into their app to approve the authentication request. (CISA has a separate description on how to implement number matching.)

SIM swaps are where bad actors convince cellular carriers to transfer control of the user’s phone number to the actor’s own SIM card. Brian Krebs has written extensively about these latter threats, which is why sending MFA codes via SMS texts or voice calls is less secure.

Don’t forget about other attack vectors

We’ve written about other attacks, including a round-up of commonly used attacks on simple passwords and ways to prevent them. We also covered new phishing toolkits discovered by academic researchers, using MFA to prevent social engineering attacks, and busting a variety of MFA myths. For your personal Google and Facebook accounts, we offer up some suggestions on how to deploy MFA.

The strongest form of phishing protection is to employ FIDO2 or WebAuthn-based tokens as your MFA method, what CISA calls the “gold standard.” WebAuthn support is included in all of the major browsers, operating systems, and smartphones. WebAuthn authenticators can either be separate hardware-based tokens that connect to a device via USB or near-field communications or hardware that is embedded into laptops or mobile devices directly.

Avast became a member of the FIDO Alliance earlier this year. CISA’s analysis compares FIDO with other less-resistant MFA methods. In January, the US Office of Management and Budget issued recommendations that phishing-resistant MFA be implemented for all federal agencies.

Important considerations for developing an MFA strategy

CISA has two noteworthy considerations in developing the best MFA strategy. 

First, you should understand the resources you want to protect from compromise. “For example, cyber threat actors often target email systems, file servers, and remote access systems to gain access to an organization’s data, along with trying to compromise identity servers like Active Directory, which would allow them to create new accounts or take control of user accounts.” CISA recommends that you consider those systems that support FIDO protocols for the first recipients of MFA protection.

Second, you should assess and locate users who might be high-value targets. “Every organization has a small number of user accounts that have additional access or privileges, which are especially valuable to cyber threat actors.” Examples include IT and system administrators, staff attorneys and HR managers. Consider these groups for an initial rollout phase of your MFA project.

“CISA recommends that organizations identify systems that do not support MFA and develop a plan to either upgrade so these systems support MFA or migrate to new systems that support MFA. “

For more information, CISA has a detailed MFA web page that can help you get started.

--> -->