What the CISA Multi-Factor Authentication Guidance Means for Enterprises


On October 31 2022, CISA announced critical guidance on threats against organizations using certain forms of multi-factor authentication. The agency urges all organizations to implement phishing-resistant MFA controls ASAP in order to prevent phishing and increasingly automated and sophisticated attacks on authentication processes.

In its announcement, CISA released two fact sheets with detailed information and recommendations:

Key Take-Aways on the CISA Multi-Factor Authentication Guidance

The guidance describes current cyber threats to MFA, maps various types of MFA implementations to their threat susceptibility, and provides defense recommendations.

Breaking Down the Phishing-Resistant Authentication Fact Sheet

The fact sheet on Implementing Phishing-Resistant MFA is centered around two primary technical controls:

  1. Using FIDO-based authentication
  2. Using PKI-based authentication

Both of these controls are highly secure, preventing the most common attacks against legacy MFA. Such attacks include phishing and social engineering, push bombing/fatigue, SS7 vulnerabilities and SIM swapping.

However, CISA as well as the general industry harbor concerns that these controls are either too difficult to implement (PKI) or the ecosystem simply isn’t mature enough (FIDO2).

The primary argument is that PKI is far too difficult and something that only extremely mature organizations with large IAM groups are able to achieve. In 2022, this is a false way of thinking. As just one example, we at HYPR have deployed virtual PKI technology to organizations that have a very small IAM team. In one instance, an organization that has over 70,000 people and only one resource dedicated to PKI was able to deploy this capability with little trouble.

New call-to-action

The second concern involves the coverage that FIDO and WebAuthn capabilities can support. The majority of FIDO2 adoption today is actually done by deploying separate hardware tokens (such as YubiKeys), which takes the industry back to the old days of RSA tokens and all the logistical challenges their deployment poses.

Traditionally software-based implementations of FIDO2 have been restricted to a specific device (such as Windows Hello). This results in an inconsistent user experience because users have to use phishable and less secure methods of MFA when they access corporate resources on anything but their dedicated Windows machine. Mac users also find themselves in a lurch and in most businesses this population is growing rapidly.

New Authentication Technologies Solve These Concerns

Today there are options that allow for businesses to have app-based solutions that guarantee phishing resistance and don’t require separate hardware to be used. We at HYPR have a certified FIDO2 mobile authenticator that provides the coverage that businesses need and it does not force them into a situation where they have to fall back to a less secure method such as OTP or Push, which would make them out of compliance with the CISA multi-factor authentication guidance.

Overall, the issues with PKI and FIDO that CISA outlined in the paper are valid but have been solved by best-in-breed solution providers. The legacy MFA technologies are slow and are falling behind the pace of innovation the hackers are driving.

Breaking Down the Number Matching Authentication Fact Sheet

The fact sheet on number matching is much shorter and the approach overall is acknowledged by CISA as a temporary technical placeholder until FIDO or PKI solutions can be implemented.

The primary supplier of this capability today is Microsoft Authenticator who recently made this method generally available to their customers due to the 10,000+ successful MFA bypass attacks against Azure AD and Office 365.

The solution works like this:

  1. The user types in a password (easily phishable)
  2. The user gets a push notification they have to accept (easily phishable)
  3. The user has to match a number on their phone that is shown on their browser screen (harder to phish)

This capability adds another step for the user so that they do not blindly approve a push notification. This puts the attacker into a situation where they have to execute a social engineering attack to bypass MFA rather than relying on purely annoying the user into accepting a push notification.

This is largely a band-aid mitigation effort and I believe that MFA bypass toolkits that are available for cheap purchase on the dark web will quickly be retrofitted to include templates for bypass of number matching controls.

Additionally, this will also undoubtedly upset a lot of employees. Unhappy employees find ways to subvert security controls in very innovative ways and my concern is that this capability may have the opposite desired effect.

At the end of the day, users just want to log in and do their jobs. FIDO and PKI solutions are mature enough to be adopted at scale. IAM teams must prioritize projects that put authentication with a consistent and frictionless experience, and which is phishing resistant by design, into the hands of the general population.

Tips for Enterprises Looking at Passwordless Solutions

  1. Focus on consistency. Your users want a user experience that’s the same across all the various channels and they want it to be simple! If you have multiple sources of Identity, focus on deploying independent authentication controls that provide consistency and phishing resistance.
  2. Beware of FIDO imitators. I’ve been a member of the FIDO Alliance for many years and there is a huge difference between “FIDO-Like” or “FIDO-Compliant” and “FIDO-Certified.”  If you’re looking at vendors, go to the FIDO certification website and find vendors that have both Authenticators AND Servers certified. 
  3. Ask for proof! If you’re talking to a vendor about phishing-resistant authentication, speak to their reference customers (and others they don’t provide references for) and dig deep. Ask how they deployed phishing-resistant capabilities specifically, to what user groups and when, how long it took, how was the support, and other factors relevant to your specific environment. These are critical questions to ask because authentication is critical!

CISA Multi-Factor Authentication Guidance a Wake-Up Call for All

As this guidance indicates, the time for phishing-resistant authentication is here. The fact is that phishing-resistant MFA is architecturally different from traditional MFA and the broader IAM industry needs to recognize that. Up to this point, the organizations that have the most to lose (financial services, insurance, critical infrastructure) have been driving the adoption of phishing-resistant controls. This is no longer tenable — breaches continue to happen and security teams everywhere will have to adapt. It’s only a matter of time before it becomes a strict requirement by NYDFS, PCI-DSS, GDPR, NIST and other regulatory bodies.

HYPR Fulfills CISA Requirements for Phishing Resistance

HYPR’s True Passwordless™ MFA provides phishing-resistant authentication from desktop to cloud. The only solution FIDO Certified across its entire product stack, HYPR ensures your authentication processes meet the security requirements set by CISA as well as guidance from NIST (800-63B A), the FFIEC, the OMB, and other cybersecurity statutes. 

Moreover, it delivers a simple, unified experience across devices and channels for a short learning curve and lower user frustration. To see how it works, schedule a demo or speak with one of our passwordless experts.

To learn more about passwordless authentication in general, download the Passwordless 101 guide. 


Related Content