When considering the current threat landscape, MFA should be required for all devices accessed from outside of internal resources and for any high-value devices internal to the organization. This includes solutions used to work from home (WFH) such as Virtual Private Networks (VPNs) or Virtual Desktop Infrastructure (VDI), as well as business-critical servers and accounts that have access to sensitive data. FIDO/WebAuthn authentication keys, such as YubiKeys, are by far the MFA most resistant to attacks, but are often more expensive than alternatives, and require users to maintain a physical device for facilitating MFA. Furthermore, not all vendors support these types of keys, meaning companies would need a backup MFA system for those individual vendors, forgo using MFA on those vendors, or go through the process of offboarding the vendor in favor of one that supports FIDO/WebAuthn.

When this isn’t viable, push notifications with number matching are often the most user-friendly MFA experience while still being resistant to push fatigue attacks. By requiring a number from either the login screen or the push notification to be input to the other, an attacker, while still being able to spam MFA requests, will not be able to trick a user into allowing the login by bombarding their device with notifications without a secondary phishing angle. In addition to this implementation, however, users should be instructed on how to best report to security when these attacks occur so that proper remediation can happen in a timely manner.

https://www.cisa.gov/uscert/ncas/current-activity/2022/10/31/cisa-releases-guidance-phishing-resistant-and-numbers-matching

https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf