CISA Urges Organizations to Implement Phishing-Resistant Multifactor Authentication

By | November 2, 2022

MFA is one of the most important measures to take to prevent unauthorized account access; however, it does not provide complete protection and some forms of MFA can be circumvented. Any form of MFA is better than none at all, but for maximum protection, organizations should implement phishing-resistant MFA, especially in industries such as healthcare that are extensively targeted by malicious cyber actors.

Multifactor authentication requires more than just a password to be provided before account access is granted, with the additional authentication being something a person has (physical device, one-time code) or something they are (fingerprint, voice print, etc.). In the event of a password being stolen in a phishing attack or being guessed using brute force tactics, it makes it much harder for a threat actor to access the account.

Phishing campaigns are now being conducted that use phishing kits with reverse proxies that allow threat actors to steal login credentials, MFA codes, and session cookies to circumvent MFA protection. Some forms of MFA are also susceptible to push bombing, Signaling System 7 (SS7) protocol vulnerabilities, and SIM Swap attacks.

CISA is urging all organizations to implement phishing-resistant multifactor authentication – the gold standard for MFA – or, if that is not possible, to implement number matching MFA. CISA has produced two fact sheets offering guidance for organizations on implementing phishing-resistant MFA and number matching MFA. The latter does not provide as strong protection as phishing-resistant MFA; however, it is suitable as an interim measure for any organization that is currently using mobile push-notification-based MFA and cannot yet switch to phishing-resistant MFA. Number matching helps prevent push bombing, by requiring users to enter a number from the identity platform into the app to approve the authentication request.

FIDO/WebAuthn authentication is the most widely available form of phishing-resistant MFA and is supported by major web browsers, OSs, and smartphones. WebAuthn works with the related FIDO2 standard to provide a phishing-resistant authenticator, such as a physical token connected to a device via USB or NFC, or can be embedded into laptops or mobile devices as platform authenticators. FIDO authentication also supports other forms of authentication such as biometrics and PIN codes.

As an alternative, public key infrastructure (PKI)-based MFA can be implemented. While this form of MFA is less widely available but may be better suited for large organizations. Guidance is offered in the fact sheets on implementing both forms of MFA, including how to prioritize the implementation phases and some of the stumbling blocks organizations can encounter, with advice on how to overcome them.

The post CISA Urges Organizations to Implement Phishing-Resistant Multifactor Authentication appeared first on HIPAA Journal.