CISA Releases Guidance on Phishing-Resistant and Numbers Matching Multi-Factor Authentication

The Cybersecurity and Infrastructure Security Agency (CISA) released a released two fact sheets to give IT leaders and network defenders an improved understanding of current threats against accounts and systems that use multi-factor authentication (MFA), Implementing Phishing-Resistant MFA and Implementing Number Matching in MFA Applications.

Because not all forms of MFA are equally secure, the phishing-resistant fact sheet informs organizations and users of the threats to MFA and how to implement the most secure form of MFA. CISA also published an infographic of the hierarchy of MFA options that is available at CISA.gov/MFA, which shows phishing-resistant MFA as the strongest choice.

For small and medium-size business that cannot immediately implement phishing-resistant MFA, the fact sheet on implementing number matching provides guidance for organizations to mobile push with number matching as an interim option. While number matching MFA is a great interim mitigation, CISA encourages organizations to develop plans to migrate to phishing resistant MFA.

As part of long and intermediate-term plans to apply Zero Trust principles, CISA encourages all organizations to implement phishing-resistant MFA. CISA recommends that organizations identify systems that do not support MFA and develop a plan to either upgrade these systems to support MFA or migrate to new systems that support MFA.

In the past year, CISA has seen bypass attacks on MFA increase and intensify. However, we only have heard about some of these bypass attacks because the attackers went public. All organizations should share information on incidents and anomalous activity to CISA 24/7 Operations Center at [email protected] or Report | CISA and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected].  

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.