According to recommendations provided by the US Cybersecurity and Infrastructure Security Agency (CISA), organizations can defend themselves from phishing and other attacks by deploying anti-phishing multi-factor authentication (MFA) and number matching in their MFA applications.
MFA requires users to submit a combination of two or more separate authenticators to prove their identity. MFA is a security feature designed to make it more difficult for attackers to gain access to networks and systems using compromised login credentials.
CISA encourages all businesses to adopt MFA for their users and services, including email, financial, and file-sharing accounts, to reduce the risk of unwanted access through compromised credentials.
“CISA strongly urges all organizations to implement anti-phishing MFA as part of applying the Zero Trust Principle. Any form of MFA is better than no MFA and can reduce an organization’s attack surface, but anti-phishing MFA is the highest standard and organizations should make it a top priority,” says CISA, Implementing Phishing-Resistant MFA (PDF) guide.
According to the agency, some MFA methods are vulnerable to various types of cyberattacks, such as phishing (an attacker-controlled website can request a six-digit code from an authenticator app), and “push bombs” inundated with users. Push notifications until you click “accept” and swap SIMs (the attacker tricks your carrier into sending the victim’s phone number to an attacker-controlled SIM card).
To obtain an authentication code delivered as a text (SMS) or voice message, some attackers can use a Signaling System 7 (SS7) protocol flaw that affects the communications infrastructure.
We recommend that organizations reduce the risk of these attacks by deploying FIDO/WebAuthn or public key infrastructure (PKI) based authentication that is resistant to phishing and immune to other forms of attack.
CISA claims that app-based authentication methods such as one-time passwords (OTPs), mobile push notifications with numeric matching, and token-based OTP resist push bomb attacks, but are vulnerable to phishing. Mobile app push notifications without number matching are vulnerable to user error and push bomb attacks. SMS and voice MFA are vulnerable to phishing, SS7, and SIM swap attacks.
The group advises all businesses to establish a type of MFA that is resistant to phishing, identify systems that do not support MFA, and switch to systems that support it, such as MFA applications with number matching.
According to CISA’s Implementing Number Matching in MFA Applications (PDF) handbook, using number matching should minimize MFA fatigue. Users accept login attempts in anger or embarrassment at the multitude of prompts they must respond quickly. In May, Cisco’s system was compromised using this method.
CISA explains, “We know that cyber threat actors who have obtained a user’s password can use mobile push notification-based MFA to enter their password into an identity platform that generates hundreds of prompts on a user’s device in a short amount of time.” do.
The user must confirm the authentication request by entering the application number provided by the identity platform to match the number. According to CISA, this means that users must be able to access a login screen in order to accept a request, which means that prompt spam must be avoided.