While many agencies have already deployed some version of multifactor authentication, not all forms provide equally secure security, according to a new the actual letter from the Cyber Security and Infrastructure Security Agency.
Some types of MFA are vulnerable to phishing attacks, fake push alerts, weaknesses in communication protocols or SIM swapping attacks, CISA’s Oct. 31 alert explained.
Hackers can lure users to visit a malicious website posing as a legitimate government agency or business, where they submit not only their username and password, but also an authentication code sent to their mobile device.
Another technique, called click fatigue or click bombardment, sends pop-up approval requests to the authenticator until the victim accidentally clicks an accept button or chooses to approve the login request to stop the notifications. Such a strategy was behind September the attack on Uber in which the attacker bombarded the employee with authentication requests and then sent the victim a WhatsApp message saying he was in the company’s IT department and was approving the login.
Threat actors can also exploit a long-known flaw in the SS7 communication protocol to harvest MFA codes sent via text, SMS, or voice messages. Vulnerabilities in the protocol allow hackers to hijack a mobile phone’s forwarding function and redirect calls, data or authentication codes to themselves.
CISA described how attackers can convince telecom operators to transfer control of a victim’s phone number to a SIM card controlled by the hackers.
Pro-CISA organizations are implementing phishing-resistant MFA as part of their zero-trust efforts, adding that FIDO/WebAuthn authentication is “the only widely available phishing-resistant authentication.” It uses either physical tokens that connect to a device via a USB port or near-field communication, or can be embedded in laptops or mobile devices as a “platform” authenticator to verify users’ identities.
Another phishing-resistant MFA technique is based on PKI and is most commonly found in smart cards that some federal agencies issue to users. The cards contain a security chip with the user’s credentials, and the system requires the card to be directly connected to the device in order for the user to log in. The downside for many organizations is that it also requires “very mature identity management practices,” CISA said.
Organizations looking to implement phishing-resistant MFA should prioritize the most vulnerable and/or most valuable assets, whether they are resources such as email, remote access and identity servers such as Active Directory, or personnel such as system administrators , C-level officials or HR officers, CISA advised.
The security agency also outlined potential problems: not all systems will support phishing-resistant MFA, staff training may take time, and some users may resist changing login practices.
CISA has also produced a newsletter Coincidence of numbers in the Ministry of Foreign Affairs applications, a practice that organizations can use to better protect their push notification-based mobile MFAs from click fatigue. Number matching forces the user to copy two or three numbers from the identity platform into their app before the authentication request is approved.
“Although number matching is not as robust as phishing-resistant MFA, it is one of the best mitigation measures for organizations that may not be able to immediately implement phishing-resistant MFA,” CISA said .