The Cybersecurity and Infrastructure Security Agency (CISA) announced critical guidance for organizations, highlighting threats against using certain forms of multifactor authentication (MFA). They warned all organizations to implement phishing-resistant MFA and number matching in MFA applications, to protect against phishing and other known cyberthreats. They recommended that users and organizations should read CISA’s fact sheets Implementing Phishing-Resistant MFA and Implementing Number Matching in MFA Applications.
What is meant by phishing-resistant MFA and Number Matching in MFA applications?
Let’s try to understand the meanings of these terms in simple words:
Phishing-Resistant MFA
Multifactor authentication or MFA is a security control, which prompts a user to verify their login identity through a combination of two or more authenticators. The idea is to make it tough for cyberthreat actors to gain access to information systems and networks, even if a password or a personal identification number has been compromised. When multiple factors are enabled, an unauthorized user will not gain access to a system unless they know both or all the factors.
It has been highly recommended by CISA that all organizations must implement MFA for every user associated with the organization and for all services, including financial account assets, email, and file sharing, etc. Although, MFA plays a critical role in securing systems from cyber threat actors trying to conduct malicious activities, however, not all MFA forms can provide the same or equal security. Certain types of MFA are vulnerable to phishing, “push bombing” attacks, exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or SIM Swap attacks.
Phishing Based MFA Implementations
CISA encourages all organizations to implement phishing-resistant MFA. The following are examples of such MFA implementations:
- FIDO/WebAuthn Authentication
- PKI-based MFA
Number Matching in MFA Applications
A form of application-based MFA that authenticates via a mobile application on a user’s smart phone, is known as a mobile push-notification-based MFA. In this type of MFA, the user receives a prompt on their phone, requesting them to press the approve button to grant themselves access to their account. The MFA fatigue, also known as push bombing, can help cyberthreat actors to gain access to systems with mobile push-notification-based-MFA. Push bombing takes place as a bombardment of push notifications by the cyberthreat actor on the mobile application of the user. The notifications keep pushing through until the user is forced into approving, either due to annoyance or by mistake.
CISA recommends using number matching to prevent MFA fatigue, especially if an organization using mobile push-notification-based MFA is unable to implement phishing-resistant MFA. Number matching is when a user is forced to enter a number sent on their identity platform, into their mobile app in order to approve the authentication. MFA fatigue is mitigated by the number matching method because users are unable to approve requests without entering numbers to login. Each time a different number is generated for every login request.
Here are a few examples of MFA vendors that support number matching features:
- Microsoft Number Matching – Use number matching in multifactor authentication (MFA) notifications (Preview) – Azure Active Directory – Microsoft Entra | Microsoft Docs
- Duo Verified Push – Duo Administration – Policy & Control | Duo Security
- Okta TOTP – https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/configure-okta-verify-options.htm
Disclaimer: Any opinions expressed in the blog do not necessarily reflect the opinions of Certrec. The content of this blog is meant for informational purposes only.