CISA Recommendations on Phishing-resistant MFA
The Cybersecurity and Infrastructure Security Agency (CISA) has published two fact sheets designed to heighten awareness around threats against accounts and systems using certain forms of multi-factor authentication (MFA). MFA is a security control that requires a user to present a combination of two or more different authenticators (something you know, something you have, or something you are) to verify their identity prior to login. CISA strongly urges all organizations to implement phishing-resistant MFA, such as WatchGuard AuthPoint, to protect against phishing and other known cyber threats.
The CISA is highlighting security vulnerabilities inherent in some push notification MFA implementations. Mobile push-notification-based MFA is a form of application-based MFA that authenticates via a mobile application notifying a user’s smartphone. After receiving the prompt (aka “push” notification), the user simply presses “approve” on the notification to grant themselves access to their account. Due to the user’s ease of approving a request in these implementations, cyber threat actors can gain access to systems with mobile push notification-based MFA by using the “MFA fatigue” technique. MFA fatigue, also known as “prompt bombing” or “push bombing,” occurs when a cyber threat actor bombards a user with mobile application push notifications until the user either approves the request by accident or out of annoyance with the nonstop notifications.
MFA implementations are intended to solve the problems associated with passwords. Account passwords are commonly revealed in data breaches and offered for sale online. Cyber threat actors who have obtained a user’s password can enter it into an identity platform that uses the weaker mobile push-notification-based MFA to generate hundreds of prompts on the user’s device over a short period of time. This activity understandably annoys the user, who may —accidentally or from MFA fatigue— press accept to stop the prompts. Alternatively, the prompts may confuse the user, who may assume one of the requests is legitimate and approve the request. As a result of any of these possible scenarios, the user unknowingly grants the cyber threat actor access to their account. User awareness and training on the latest threats such as prompt-bombing is also recommended.
CISA has consistently urged organizations to implement MFA for all users and for all services, including email, file sharing, and financial account access. MFA is an essential practice to reduce the threat of cyber threat actors using compromised credentials to gain access to and conduct malicious activity on networks. However, not all forms of MFA are equally secure. Some forms are vulnerable to phishing, “push bombing” attacks, exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or SIM Swap attacks. These attacks, if successful, may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access the MFA-protected systems. Phishing-resistent MFA implementations protect against these threats.
You can view the full CISA Phishing-resistant MFA recommendations from the CISA publication below.
The only widely available phishing-resistant authentication is FIDO/WebAuthn authentication. The FIDO Alliance originally developed the WebAuthn protocol as part of FIDO2 standards and is now published by the World Wide Web Consortium (W3C). WebAuthn support is included in major browsers, operating systems, and smart phones. WebAuthn works with the related FIDO2 standard to provide a phishing-resistant authenticator. WebAuthn authenticators can either be:
• Separate physical tokens (called “roaming” authenticators) connected to a device via USB or near-field comms (NFC), or.
• Embedded into laptops or mobile devices as “platform” authenticators.
In addition to being “something that you have,” FIDO authentication can incorporate various other types of factors, such as biometrics or PIN codes. FIDO2-compliant tokens are available from a variety of vendors.
A less widely available form of phishing-resistant MFA is tied to an enterprise’s PKI. PKI-based MFA comes in a variety of forms; a well-known form of PKI-based MFA is the smart cards that government agencies use to authenticate users to their computers. PKI-based MFA provides strong security and is sensible for large and complex organizations.
However, successfully deploying PKI-based MFA requires highly mature identity management practices. It is also not as widely supported by commonly used services and infrastructure, especially in the absence of SSO technologies. In most PKI-based MFA deployments, a user’s credentials are contained in a security chip on a smart card, and the card must be directly connected to a device for the user to log into the system (with the correct password or PIN). The U.S. government’s personal identity verification (PIV) card and common access card (CAC) are examples of PKI-based MFA.
If an organization using the weaker mobile push-notification-based MFA is unable to implement phishing-resistant MFA, CISA recommends using number matching to mitigate MFA fatigue. Although number matching is not as strong as phishing-resistant MFA, it is one of the best interim mitigations for organizations that may not immediately be able to implement phishing-resistant MFA.