On Monday the United States’ Cybersecurity & Infrastructure Security Agency (CISA) released two fact sheets detailing threats to multifactor authentication (MFA) and recommendations for implementation in response to increased MFA defeat due to phishing attacks, push fatigue attacks, and SIM swapping attacks. CISA primarily recommends using FIDO/WebAuthn authentication as the most widely available phishing-resistant form of MFA, and suggests using number matching with push notifications as a means to defeating push fatigue attacks. The organization included some reference materials to MFA vendors such as Microsoft, Duo, and Okta, as well as recommendations for overcoming hurdles in implementing stronger MFA techniques.
When considering the current threat landscape, MFA should be required for all devices accessed from outside of internal resources and for any high-value devices internal to the organization. This includes solutions used to work from home (WFH) such as Virtual Private Networks (VPNs) or Virtual Desktop Infrastructure (VDI), as well as business-critical servers and accounts that have access to sensitive data. FIDO/WebAuthn authentication keys, such as YubiKeys, are by far the MFA most resistant to attacks, but are often more expensive than alternatives, and require users to maintain a physical device for facilitating MFA. Furthermore, not all vendors support these types of keys, meaning companies would need a backup MFA system for those individual vendors, forgo using MFA on those vendors, or go through the process of offboarding the vendor in favor of one that supports FIDO/WebAuthn.
When this isn’t viable, push notifications with number matching are often the most user-friendly MFA experience while still being resistant to push fatigue attacks. By requiring a number from either the login screen or the push notification to be input to the other, an attacker, while still being able to spam MFA requests, will not be able to trick a user into allowing the login by bombarding their device with notifications without a secondary phishing angle. In addition to this implementation, however, users should be instructed on how to best report to security when these attacks occur so that proper remediation can happen in a timely manner.