CISA Discourages Use of App-Based, SMS and Voice MFAs and Encourages Phishing-Resistant MFAs

Cyber Threat Actors Are Breaking the Security of Commonly Used MFAs

By: Kathie McDonald-McClure

A best practice in securing sensitive data is to deploy Multi-Factor Authentication (MFA) to prevent access by unauthorized users to internet-connected sources for such data. MFA requires authorized users to present a combination of two or more different authenticators (something you know, you have, or you are) to verify identity prior to access. MFA makes it more difficult for unauthorized users to gain access to servers and applications. For example, if one factor, such as a PIN, becomes compromised, the unauthorized user cannot gain access if they do not have the second factor, such as a mobile token or fingerprint.

Cyber security experts recommend MFA for all internet-facing applications with access to sensitive information. Such applications include remote desktop, Virtual Private Networks (VPNs), email accounts, financial and accounting software, file sharing and document management platforms, CRM, just to name a few.

Demonstrated compromises in commonly used MFAs prompts CISA to issue guidance. On October 31, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released Guidance on Phishing-Resistant and Numbers Matching Multifactor Authentication. The CISA Guidance includes two Fact Sheets. One Fact Sheet, Implementing Phishing-Resistant MFA, describes the methods cyber threat actors are using to gain access to MFA credentials. These methods include phishing emails and malicious websites, MFA fatigue, exploitation of SS7 protocol vulnerabilities, and SIM swapping. This CISA Fact Sheet identifies App-Based MFA and SMS or Voice MFA as being particularly vulnerable to these methods of stealing MFA credentials.

CISA strongly encourages organizations currently using App-Based, SMS or Voice MFA to migrate to a Phishing-Resistant MFA for as many applications as is feasible. CISA indicates that the currently available Phishing-Resistant MFA options are limited to FIDO/WebAuthn (included in most major browsers) and the PKI-based MFA (smart cards used with SSO technologies). App-Based MFAs verify the identity of users either by generating a one-time password (OTP) or sending a “push” pop-up notification to the mobile application. SMS and Voice MFAs send a code to the user’s phone or email. The user then retrieves this second factor code from their text or email to use for login authentication. CISA says that SMS and Voice MFA should only be used as a last resort.

CISA acknowledges there are several stumbling blocks to the deployment of Phishing-Resistant MFAs. These include the lack of support for it in the organization’s existing systems and products, difficulty in deploying it to all staff members at once, and upper management concerns that users will resist the migration. Nevertheless, CISA recommends that the organization’s IT leadership prioritize the migration to Phishing-Resistant MFA in logical phases focusing on the technologies at highest risk, such as email systems, file servers, and remote access systems, and the users who are high-value targets, such as system administrators, attorneys, HR staff, and others with access to sensitive data.

What if your organization uses mobile push-notification based MFA and migration to Phishing-Resistant MFA is not feasible? CISA recommends using “number matching” in the MFA application to mitigate MFA fatigue. CISA says, “MFA fatigue, also known as ‘push bombing,’ occurs when a cyber threat actor bombards a user with mobile application push notifications until the user either approves the request by accident or out of annoyance with the nonstop notifications.” Refer to the CISA Fact Sheet titled, Implementing Number Matching in MFA Applications, for guidance on how to enable “number matching” on MFA configurations to prevent MFA fatigue.

So why is a lawyer writing this technical piece? We assist clients proactively to prevent security breaches and reactively after a security incident in the preparation or revision of IT data security policies and procedures necessary to meet regulatory, contractual, cyber insurance underwriting, and other third-party expectations. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and security practice, visit Data Privacy and Cyber Security.

If you need additional information, please contact:

Kathie McDonald-McClure

Phone: 502.562.7526


Data Security in the “New Normal” of Teleworking

By Margaret Young Levi and Kathie McDonald-McClure

The 2020 worldwide pandemic will go down in the history books much like the 1918 Spanish Flu.  One big difference between then and now: the technology that has enabled millions of us to remain moderately productive “at work” from the comfort of our homes.  Welcome to the “new normal” of telework.  Being comfy at work in yoga pants – saving time by not having to dress for “the office” as we once knew it.  Shorter commutes, with coffee refills only steps away in the “breakroom” – our kitchens.  Staying connected to our co-workers, clients and work associates in Brady Bunch style, creating a little mystique with virtual backgrounds on Zoom, Microsoft Teams or WebEx video conferencing platforms.

As relaxed as we may be in the new normal of teleworking, it’s not a time to relax when it comes to being vigilant in securing the confidences of our employers, employees, clients or customers.  Teleworking brings new technology challenges:  learning new software and conferencing programs, managing confidential paper documents, and protecting electronic data.  And since our homes are now an extension of our offices, these challenges may create additional exposure for employers. As office workers and healthcare providers switched to telework and telehealth under state stay-at-home orders, malicious cyber actors were ramping up to take advantage of the security gaps that would inevitably accompany such a sudden transition. Wyatt data privacy counsel offer practical tips to protect employer and client data, as well as personal information, in the new normal of telework.

Continue reading