Connect with us


What the CISA Multi-Factor Authentication Guidance Means for Enterprises





On October 31, 2022, CISA announced critical advice about threats to organizations using some form of multi-factor authentication. The agency urges all organizations to implement phishing-resistant MFA controls as soon as possible to prevent phishing and increasingly automated and sophisticated attacks on authentication processes.

In its announcement, CISA released two fact sheets with detailed information and recommendations:

Key Takeaways on CISA Multi-Factor Authentication Tips

The guide describes current cyber threats to multi-factor authentication, maps various types of MFA authentication implementations based on their threat susceptibility, and provides defense recommendations.

Breaking down the Phishing Resistant Authentication fact sheet

The Implementing Phishing-Resistant MFA fact sheet focuses on two main technical controls:

  1. Using FIDO-Based Authentication
  2. Using PKI-Based Authentication

Both of these controls are highly secure, preventing the most common attacks against legacy MFAs. These attacks include phishing and social engineering, push bombing/fatigue, SS7 vulnerabilities, and SIM card swapping.

However, CISA and the industry in general are concerned that these controls are too difficult to implement (PKI) or that the ecosystem is simply not mature enough (FIDO2).

The main argument is that PKI is far too difficult and only extremely mature organizations with large IAM groups are able to achieve. In 2022, that’s a false way of thinking. As an example, at HYPR we have deployed virtual PKI technology in organizations that have a very small IAM team. In one case, an organization with over 70,000 people and a single resource dedicated to PKI was able to deploy this capability without issue.

HYPR eliminates your greatest attack vector.

The second concern is the coverage that FIDO and WebAuthn capabilities can support. Today, the majority of FIDO2 adoption is by deploying separate hardware tokens (such as YubiKeys), bringing the industry back to the old days of RSA tokens and all the logistical challenges of deploying them. .

Traditionally, software implementations of FIDO2 have been limited to a specific device (such as Windows Hello). This results in an inconsistent user experience, as users must use phishing and less secure methods of MFA when accessing corporate resources on anything other than their dedicated Windows machine. Mac users also find themselves struggling, and in most businesses, this population is growing rapidly.

New authentication technologies solve these problems

Today, there are options that allow businesses to have application-based solutions that guarantee resistance to phishing and do not require the use of separate hardware. At HYPR, we have a certified FIDO2 Mobile Authenticator that provides the coverage businesses need and doesn’t force them to fall back to a less secure method such as OTP or Push, making them non-compliant with authentication guidelines. CISA multifactor.

Overall, the issues with PKI and FIDO that CISA described in the document are valid but have been resolved by the best solution providers. Legacy MFA technologies are slow and lag behind the pace of innovation driven by hackers.

Breaking Down Number Matching Authentication Fact Sheet

The number matching fact sheet is much shorter, and the overall approach is recognized by CISA as a temporary technical placeholder until FIDO or PKI solutions can be implemented.

The primary provider of this capability today is Microsoft Authenticator who recently made this method available to their customers due to over 10,000 successful MFA bypass attacks against Azure AD and Office 365.

The solution works like this:

  1. The user types a password (easily phishing)
  2. The user receives a push notification that he must accept (easily phishing)
  3. User has to match a number on their phone which is displayed on their browser screen (harder to phish)

This capability adds another step for the user so that they don’t blindly approve a push notification. This places the attacker in a situation where they must execute a social engineering attack to circumvent MFA rather than relying solely on user annoyance to accept a push notification.

This is largely a mitigation effort and I believe that the MFA bypass toolkits available for cheap purchase on the dark web will soon be adapted to include control bypass templates. number matching.

In addition, it will undoubtedly disturb many employees. Disgruntled employees are finding ways to subvert security controls in very innovative ways and I’m afraid this ability will have the desired opposite effect.

Ultimately, users just want to log in and do their thing. FIDO and PKI solutions are mature enough to be widely adopted. IAM teams should prioritize projects that put authentication with a consistent, frictionless experience, and that is phishing-resistant by design, into the hands of the general population.

Tips for businesses considering passwordless solutions

  1. Focus on consistency. Your users want the same user experience across all channels and they want it to be simple! If you have multiple identity sources, focus on deploying independent authentication controls that provide consistency and phishing resistance.
  2. Beware of FIDO imitators. I have been a member of the FIDO Alliance for many years and there is a huge difference between “FIDO-Like” or “FIDO-Compliant” and “FIDO-Certified”. If you are looking for suppliers, go to FIDO Certification Site and find providers that have both authenticators AND certified servers.
  3. Ask for proof! If you’re talking to a vendor about phishing-resistant authentication, talk to their referral customers (and others they don’t provide referrals for) and dig deep. Ask them how they specifically deployed anti-phishing capabilities, to which user groups and when, how long it took, how was the support, and other factors relevant to your specific environment. These are crucial questions to ask because authentication is essential!

CISA Multi-Factor Authentication Tips A Wake Up Call For All

As this guide indicates, now is the time for phishing-resistant authentication. The fact is, phishing-resistant MFA is architecturally different from traditional MFA, and the wider IAM industry needs to recognize that. Until now, organizations with the most to lose (financial services, insurance, critical infrastructure) have driven the adoption of phishing-resistant controls. This is no longer tenable – breaches continue to happen and security teams around the world will have to adapt. It’s only a matter of time before it becomes a strict requirement of NYDFS, PCI-DSS, GDPR, NIST and other regulatory bodies.

HYPR meets CISA requirements for phishing resistance

HYPR’s MFA True Passwordless™ provides phishing-resistant authentication from desktop to cloud. The only FIDO-certified solution across its entire product line, HYPR ensures that your authentication processes meet the security requirements defined by CISA as well as the guidelines of NIST (800-63B A), FFIEC, OMB and other cybersecurity laws.

Plus, it provides a simple and unified experience across all devices and channels for a short learning curve and less user frustration. To see how it works, schedule a demo or speak to one of our experts without a password.

To learn more about passwordless authentication in general, download the No password 101 guide.

*** This is a syndicated blog from the HYPR Blog Security Bloggers Network written by Bojan Simic, CEO and CTO, HYPR. Read the original post at: