The Cybersecurity and Infrastructure Security Agency (CISA) has published two fact sheets designed to highlight threats against accounts and systems using certain forms of multi-factor authentication (MFA).
“CISA strongly urges all organizations to implement phishing-resistant MFA to protect against phishing and other known cyber-threats,” the Agency wrote, commenting on the news.
The first of the two documents describes multiple methods threat actors have used to gain access to MFA credentials, including phishing, push bombing (AKA, push fatigue), exploitation of Signaling System No. 7 (SS7) protocol vulnerabilities and SIM swap.
To defend against these threats, CISA has recommended deploying phishing-resistant MFA solutions based on FIDO/WebAuthn and public key infrastructure (PKI).
Regarding app-based authentication, CISA mentioned one-time passwords (OTP), mobile push notifications with (or without) number matching and token-based OTP. SMS and voice MFA should also rely on OTP codes sent to users' phones or emails.
As for the second fact sheet published by the Agency, it provides additional information about threats and defense against accounts and systems using mobile push notification-based MFA, including how MFA prompts work, how to mitigate threats targeting these systems and best practices for using MFA with number matching.
“Number matching is a setting that forces the user to enter numbers from the identity platform into their app to approve the authentication request,” CISA explained. “If an organization using mobile push-notification-based MFA is unable to implement phishing-resistant MFA, CISA recommends using number matching to mitigate MFA fatigue.”
On this point, CISA has clarified that, although number matching is not as robust as phishing-resistant MFA, it is one of the best interim mitigations for companies who may not immediately be able to implement phishing-resistant MFA.
Both fact sheets published by the Agency this month are available at this link here. Their publication comes weeks after security researchers at Proofpoint discovered a phishing campaign trying to steal Microsoft credentials and bypass some MFA measures.