The US Cybersecurity and Infrastructure Security Agency (CISA) published a fact sheet for businesses and industry professionals on phishing-resistant multi-factor authentication (MFA) implementation. MFA is an extra step beyond a password to access an account or information. Traditional MFA notifications via text message are susceptible to SIM swapping or push bombing. Both attack vectors take advantage of people who can be persuaded to hand over credentials through phishing.
“CISA strongly urges all organizations to implement phishing-resistant MFA as part of applying Zero Trust principles. While any form of MFA is better than no MFA and will reduce an organization’s attack surface, phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort,” CISA notes in its tip sheet.
Phishing, by definition, takes advantage of people, so phishing-resistant MFA seeks to remove the human factor from the authentication process.
The fact sheet highlights two phishing-resistant authentication methods, FIDO and PKI. FIDO is the most widely available method and can utilize physical tokens, embedded mobile or laptop authenticators, or biometric authenticators. PKI-based authentication is less common in public but is the primary form of MFA used by the government, with smart cards used to unlock computers. Read our blog post about FIDO here.
The fact sheet highlights how businesses should start thinking about phishing-resistant MFA implementation. High-priority targets like email systems, file servers, and remote access systems are most commonly targeted by hackers and should be protected first. Business owners should also think about protecting high-value users first. Employees with access to customer personal identifiable information (PII), like system administrators, attorneys, and human resources staff, should be at the top of the list of implementations.
The fact sheet also highlights user awareness. Not all products support phishing-resistant MFA, so the CISA recommends focusing on the services that support the authentication method first, like email hosting platforms. The gradual rollout will help users become accustomed to the new process so services can continue to be added as they add the capability. Read the full fact sheet here.
Quanexus IT Support Services for Dayton and Cincinnati
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.