Since the pandemic and the rise of work at home, we have become very familiar with Multi-Factor Authentication (MFA). Typically, this is implemented as a One-Time Password (OTP) delivered via an application on a smartphone, phone call, or SMS text.
Like any high-value information, this has become vulnerable to social engineering. Scammers trick people into giving the codes via phishing emails, phone calls, fake portals, and other creative means.
CISA released guidance on how to phish-proof these implementations in a recent publication I’ve found very helpful: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf and https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf.
Here are some key takeaways from this guidance.
- One of the most phish resistant MFA implementations are FIDO/WebAuthn Authentication. In English, these are physical tokens or authenticators built into physical devices, such as USB sticks or laptops. These physical devices communicate the key required to authenticate, removing the human error from the authentication process.
- Tied for the most phish resistant MFA is Public Key Infrastructure (PKI)- based. These are often seen in government applications where smart card badges are issued and slid into the computer to authenticate. CISA notes that to successfully implement PKI, you must have a highly mature identity management process.
- The more common methods of MFA follow, including smart phone apps and OTPs, which are vulnerable to the current attacks, such as push bombing, SIM swap, (where attackers swap out SIM cards in smart phones to pose as a user), and phishing OTPs.
- If you cannot implement the stronger MFA practices (FIDO/WebAuthn or PKI), CISA recommends implementing number matching to mitigate this risk. Number matching is a setting that prompts the user to enter numbers from the authentication system into their authenticator. This requires access to the login screen and discourages the push bombing.
See examples from Microsoft below:
Many common vendors support this including Microsoft, Duo, and Okta.
- Whichever route you chose, always train your users to report suspicious activity including push bombing, phishing for OTPs, and unknown log-ins. Additionally, CISA suggests investigating denied push requests as this could be an indicator of a compromised password.
I am excited about the number matching options as it seems the most feasible without an Identity Management program overhaul. The stronger methods may be best for high-value accounts, such as administrator accounts and domain controllers.
If you have any questions or need help, please contact us at support@bedelsecurity.com.