CISA Wants Companies to Use Phishing-Resistant Multifactor Authentication

MFA is one of the most essential steps to take to stop unauthorized account access; on the other hand, it doesn’t give total security and certain types of MFA could be circumvented. Any type of MFA is significantly better than not using one at all. However, for the greatest protection, companies ought to use phishing-resistant MFA, particularly in sectors like healthcare that are greatly attacked by malicious cybercriminals.

Multifactor authentication needs not just having a password before getting access to an account, but also additional authentication like something an individual owns (i.e. physical gadget, one-time PIN) or something they represent (voice print, fingerprint, etc.). In case a password is taken during a phishing attack or is guessed via brute force tactics, it is more difficult for a threat actor to get access to the account.

Today, phishing campaigns are being done that utilize phishing kits that have reverse proxies enabling threat actors to obtain MFA codes, login information, and session cookies to bypass MFA security. Certain types of MFA are additionally vulnerable to push bombing, SIM Swap, and Signaling System 7 (SS7) protocol vulnerability attacks.

CISA is encouraging all companies to use phishing-resistant multifactor authentication, which is the MFA gold standard. When that isn’t possible, then using number-matching MFA is an alternative. CISA has created two information sheets giving guidance for companies on employing phishing-resistant MFA as well as number-matching MFA. The second option is not as good as phishing-resistant MFA; nevertheless, it is ideal as a temporary solution for any company that is presently utilizing mobile MFA based on push notifications and cannot use phishing-resistant MFA yet. Number matching aids in the prevention of push bombing, by necessitating users to input a number from the identity platform in the application to accept the request for authentication.

The most extensively used form of phishing-resistant MFA is FIDO/WebAuthn authentication, which is supported by major OSs, internet browsers, and smartphones. The way WebAuthn works in relation to FIDO2 standard is to give a phishing-resistant authenticator, for example, a physical token linked to a device through NFC or USB, or may be embedded into laptop computers or mobile gadgets as authenticators of the platform. FIDO authentication additionally helps other types of authentication like PIN codes and biometrics.

As a substitute, MFA based on public key infrastructure (PKI) may be used. Although this kind of MFA is not as widely available, it may be more appropriate for big companies. Guidance is provided in the information sheets on using the two kinds of MFA, as well as information on how to prioritize the execution phases and a few of the challenges companies can come across, with tips on ways to resolve them.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.