A fact sheet has been published by the US Cybersecurity and Infrastructure Security Agency.
The publication is in response to a growing number of cyberattacks that use poor methods. Not all forms of multifactor Authentication are safe. The agency writes that some forms are vulnerable to phish, push bombing attacks, and exploitation of Signaling System 7 protocol vulnerabilities.
The news has made the news with some of the attack methods. When push bombing is used, bad actors bombard a user with dozens of push notifications until they press the “Accept” button, which grants them access to the network.
This is what happened when a hack on a company’s network is done.
It is easier for users to open the notification message and accept the prompt if there is no number matching. Attacks have been attracted to this method since there is no additional step between receiving and accepting the prompt. When using number matching, a user must enter a sequence of numbers from their identity platform into their app to approve the request. CISA has a description of how to implement number matching.
Sending Multifactor Authentication codes via text or voice calls is not as secure as it could be because of the threats written by Brian Krebs.
Don’t forget about other attack vectors
We have written about attacks on simple passwords and ways to prevent them. We covered new phish toolkits discovered by academic researchers, as well as busting a variety of Multifactor Authentication myths. We offer up some suggestions on how to deploy Multifactor Authentication for your personal accounts.
FIDO2 or WebAuthn-based token is the gold standard when it comes to protecting yourself against phish. All major browsers and operating systems have WebAuthn support. Hardware that is embedded into laptops or mobile devices can be used as a separate hardware-based authenticator.
Important considerations for developing a multifactor Authentication strategy
There are two important considerations in the development of the best multi-factor Authentication strategy.
Understand the resources you want to protect. Cyber threat actors often target email systems, file servers, and remote access systems to gain access to an organization’s data, along with trying to compromise identity servers like Active Directory, which would allow them to create new accounts or take control of user accounts. The first recipients of multifactor Authentication protection should consider systems that support FIDO protocols.
Users who might be high-value targets should be assessed and found.
Every organization has a small number of user accounts that have additional access or privileges that are valuable to cyber threat actors. IT and system administrators, staff attorneys, and HR managers are some examples. Consider these groups for the initial phase of the project.
CISA recommends that organizations identify systems that don’t support multifactor Authentication and develop a plan to upgrade so these systems support multifactor Authentication or migrate to new systems that support it.