CISA Releases Guidance on Phishing-Resistant and Numbers Matching Multi-Factor Authentication

The Cybersecurity and
Infrastructure Security Agency (CISA) released a released two fact sheets
to give IT leaders and network defenders an improved understanding of
current threats against accounts and systems that use multi-factor
authentication (MFA), Implementing Phishing-Resistant MFA and Implementing Number Matching in MFA Applications.

 

Because not all forms of MFA are
equally secure, the phishing-resistant fact sheet informs organizations and
users of the threats to MFA and how to implement the most secure form of
MFA. CISA also published an infographic of the hierarchy of MFA options
that is available at CISA.gov/MFA, which shows phishing-resistant MFA
as the strongest choice.

 

For small and medium-size
business that cannot immediately implement phishing-resistant MFA, the fact
sheet on implementing number matching provides guidance for organizations
to mobile push with number matching as an interim option. While number
matching MFA is a great interim mitigation, CISA encourages organizations
to develop plans to migrate to phishing resistant MFA.

 

As part of long and
intermediate-term plans to apply Zero Trust principles, CISA encourages all
organizations to implement phishing-resistant MFA. CISA recommends that
organizations identify systems that do not support MFA and develop a plan
to either upgrade these systems to support MFA or migrate to new systems
that support MFA.

 

In the past year, CISA has seen
bypass attacks on MFA increase and intensify. However, we only have heard
about some of these bypass attacks because the attackers went public. All
organizations should share information on incidents and anomalous
activity to CISA 24/7 Operations Center at [email protected] or Report | CISA and/or to the FBI via your local
FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected].  

 

The NJCCIC encourages recipients
who discover signs of malicious cyber activity to contact the NJCCIC
via the cyber incident report form at www.cyber.nj.gov/report.