CISA Discourages Use of App-Based, SMS and Voice MFAs and Encourages Phishing-Resistant MFAs

Cyber Threat Actors Are Breaking the Security of Commonly Used MFAs

By: Kathie McDonald-McClure

A best practice in securing sensitive data is to deploy Multi-Factor Authentication (MFA) to prevent access by unauthorized users to internet-connected sources for such data. MFA requires authorized users to present a combination of two or more different authenticators (something you know, you have, or you are) to verify identity prior to access. MFA makes it more difficult for unauthorized users to gain access to servers and applications. For example, if one factor, such as a PIN, becomes compromised, the unauthorized user cannot gain access if they do not have the second factor, such as a mobile token or fingerprint.

Cyber security experts recommend MFA for all internet-facing applications with access to sensitive information. Such applications include remote desktop, Virtual Private Networks (VPNs), email accounts, financial and accounting software, file sharing and document management platforms, CRM, just to name a few.

Demonstrated compromises in commonly used MFAs prompts CISA to issue guidance. On October 31, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released Guidance on Phishing-Resistant and Numbers Matching Multifactor Authentication. The CISA Guidance includes two Fact Sheets. One Fact Sheet, Implementing Phishing-Resistant MFA, describes the methods cyber threat actors are using to gain access to MFA credentials. These methods include phishing emails and malicious websites, MFA fatigue, exploitation of SS7 protocol vulnerabilities, and SIM swapping. This CISA Fact Sheet identifies App-Based MFA and SMS or Voice MFA as being particularly vulnerable to these methods of stealing MFA credentials.

CISA strongly encourages organizations currently using App-Based, SMS or Voice MFA to migrate to a Phishing-Resistant MFA for as many applications as is feasible. CISA indicates that the currently available Phishing-Resistant MFA options are limited to FIDO/WebAuthn (included in most major browsers) and the PKI-based MFA (smart cards used with SSO technologies). App-Based MFAs verify the identity of users either by generating a one-time password (OTP) or sending a “push” pop-up notification to the mobile application. SMS and Voice MFAs send a code to the user’s phone or email. The user then retrieves this second factor code from their text or email to use for login authentication. CISA says that SMS and Voice MFA should only be used as a last resort.

CISA acknowledges there are several stumbling blocks to the deployment of Phishing-Resistant MFAs. These include the lack of support for it in the organization’s existing systems and products, difficulty in deploying it to all staff members at once, and upper management concerns that users will resist the migration. Nevertheless, CISA recommends that the organization’s IT leadership prioritize the migration to Phishing-Resistant MFA in logical phases focusing on the technologies at highest risk, such as email systems, file servers, and remote access systems, and the users who are high-value targets, such as system administrators, attorneys, HR staff, and others with access to sensitive data.

What if your organization uses mobile push-notification based MFA and migration to Phishing-Resistant MFA is not feasible? CISA recommends using “number matching” in the MFA application to mitigate MFA fatigue. CISA says, “MFA fatigue, also known as ‘push bombing,’ occurs when a cyber threat actor bombards a user with mobile application push notifications until the user either approves the request by accident or out of annoyance with the nonstop notifications.” Refer to the CISA Fact Sheet titled, Implementing Number Matching in MFA Applications, for guidance on how to enable “number matching” on MFA configurations to prevent MFA fatigue.

So why is a lawyer writing this technical piece? We assist clients proactively to prevent security breaches and reactively after a security incident in the preparation or revision of IT data security policies and procedures necessary to meet regulatory, contractual, cyber insurance underwriting, and other third-party expectations. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and security practice, visit Data Privacy and Cyber Security.

If you need additional information, please contact:

Kathie McDonald-McClure

Phone: 502.562.7526


“Shields Up” Cyber Threat Alert Issued for All U.S. Organizations

By Kathie McDonald-McClure

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a Shields UpAlert for every organization in the United States. The Shields Up Alert states that, as a result of the Russian government’s use of cyber as a key component of asserting pressure on a country’s government, military and population, “[e]very organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety.” The Shields Up Alert sets forth specific recommended actions for organizations to take, regardless of size, to:

  • Reduce the likelihood of a damaging cyber intrusion,
  • Quickly detect a potential intrusion,
  • Ensure the organization is prepared to respond to an intrusion, and
  • Maximize the the organization’s resilence to a destructive cyber incident.

Read the full Shields Up Alert here.

Senators Propose U.S. Cybersecurity Incident Notification Law

This post was originally published on July 21, 2021. See important “Update” below.

UPDATE: On March 15, 2022, President Biden signed H.R. 2471, the Consolidated Appropriations Act of 2022, which includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“The CIRCI Act”). The CIRCI Act, which appears as Division Y in H.R. 2471, has several elements proposed by the initial Senate Bill that was the subject of this article with some variations. CISA has 24 months to issue implementing regulations.


In light of the escalation in ransomware and other cyber threats, a bi-partisan group of U.S. Senators has released a cybersecurity notification bill titled “Cyber Incident Notification Act of 2021.” Under the proposed bill, a “covered entity” would be required to report a “cybersecurity intrusion” or “potential cybersecurity intrusion” to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of confirmation of the intrusion.  Covered entities also would be required to submit updated cybersecurity threat information to CISA within 72 hours after the discovery of new information. The requirement for updates would continue until the incident is mitigated or any follow-up investigation is completed.

Although the term “cybersecurity intrusion” would be defined in future rulemaking with public comment, the bill provides, at a minimum, that the term include ransomware if it falls into one of six broad categories. The categories include ransomware involving a nation-state, an advanced persistent threat cyber actor, or a transnational organized crime group. The categories also include ransomware that results in or has the potential to result in harm to national security interests, the U.S. economy, or to public confidence, civil liberties, or public health and safety. In essence, it would encompass most types of ransomware.

The term “covered entity” also is to be defined by future rulemaking but, per the bill, “shall include, at a minimum, Federal contractors, owners or operators of critical infrastructure, as determined appropriate by the Director based on assessment of risks posed by compromise of critical infrastructure operation, and nongovernmental entities that provide cybersecurity incident response services.” CISA’s list of critical infrastructure sectors include: Information Technology, Communications, Healthcare and Public Health, Emergency Services, Financial, Energy, Food and Agriculture, Commercial Facilities, Critical Manufacturing, among others. For a full list of CISA’s current “critical infrastructure” sectors and a detailed description of each, click here

To incentivize compliance, the law would allow the CISA Director to assess a civil penalty up to 0.5 percent of the entity’s gross revenue from the prior year for each day it violates the requirements under the law or under rules promulgated under the law. The Director would be allowed to “take into account mitigating or aggravating factors, including the nature, circumstances, extent, and gravity of the violations and, with respect to the covered entity, the covered entity’s ability to pay, degree of culpability, and history of prior violations.”

Click here to read the full Senate Bill.