Multifactor authentication can be vulnerable to phishing attacks, fake push alerts, communications protocols weaknesses or SIM swap attacks, according to CISA.
While many agencies have already deployed some version of multifactor authentication, not all forms provide equally secure security, according to a new fact sheet from the Cybersecurity and Infrastructure Security Agency.
Some types of MFA are vulnerable to phishing attacks, fake push alerts, communications protocols weaknesses or SIM swap attacks, CISA’s Oct. 31 alert explained.
Hackers can lure users into visiting a malicious website that masquerades as a legitimate government agency or business where they submit not just their username and password, but also the authentication code sent to their mobile device.
Another technique called push fatigue or push bombing sends a torrent of pop-up approval requests to an app-based authenticator until the victim accidently hits the accept button or chooses to approve the sign-in request to stop the notifications. This strategy was behind the September attack on Uber in which an attacker bombarded an employee with authentication requests, then sent the victim a message via WhatsApp telling him he was with the company’s IT help desk and to approve the login.
Threat actors can also take advantage of a long-known weakness in the SS7 communications protocol to collect MFA codes sent via text, SMS messages or voice messages. Vulnerabilities in the protocol allow hackers to hijack a cellphone’s forwarding function and redirect the calls, data or authentication codes to themselves.
CISA described how attackers can convince representatives at telecom carriers to transfer control of a victim’s phone number to a hacker-controlled SIM card.
CISA advocates organizations implement phishing-resistant MFA as part of their zero-trust efforts, adding that the FIDO/WebAuthn authentication is the “only widely available phishing resistant authentication.” It uses either physical tokens that connect to a device via a USB port or near-field communications or can be embedded into laptops or mobile devices as “platform” authenticator to confirm the identity of users.
Another phishing-resistant MFA technique is PKI-based and is most often seen in the smart cards some federal agencies issue to users. The cards contain a security chip with user’s credentials, and the system requires the card be directly connected to a device for the user to login. The downside for many organizations is that it also requires “highly mature identity management practices,” CISA said.
Organizations looking to implement phishing resistant MFA should prioritize the most vulnerable and/or the highest value assets, whether that be resources like email, remote access and identity servers like Active Directory or personnel like system administrators, C-level officials or human resources staff, CISA advised.
The security agency also outlined potential challenges: not all systems will support phishing-resistant MFA, training staff may take time and some users may resist changing their login practices.
CISA also released a fact sheet on Number Matching in MFA Applications, a practice it said organizations can use to better secure their mobile push-notification based MFA from push fatigue. Number matching forces the user to copy two or three numbers from the identity platform into their app before the authentication request is approved.
“Although number matching is not as strong as phishing-resistant MFA, it is one of best interim mitigation for organizations who may not immediately be able to implement phishing-resistant MFA,” CISA said.