Phishing-resistant multifactor authentication isn’t just the strongest form of MFA — it’s “the gold standard for MFA,” according to the Cybersecurity and Infrastructure Security Agency.
The federal agency this week published a fact sheet to clarify its definition of phishing-resistant MFA and provide guidance and prioritization schemes for organizations to implement the safeguards in logical phases.
Three key recommendations from CISA:
- Stick to FIDO standards and the Web Authentication API (WebAuthn) protocol.
- Take stock of your IT systems, determine which platforms support MFA and start there.
- Roll out phishing-resistant MFA in phases, placing early emphasis on high-value targets and resources.
FIDO standards and the WebAuthn protocol are the only widely available phishing-resistant forms of MFA, according to CISA. The protocol and standard, both developed by the FIDO Alliance, can work together to bolster MFA.
The WebAuthn protocol, developed in tandem with FIDO2 standards, is supported in browsers, operating systems and smartphones. It works with the FIDO2 standard to facilitate a phishing-resistant authenticator that can come in the form of physical tokens, such as a USB device, or components embedded in laptops or mobile devices.
FIDO2 authentication can also occur via biometrics or an asymmetric pair of private and public keys.
CISA encourages organizations to identify systems in their infrastructure that don’t support MFA and develop a plan to upgrade or migrate to systems that do.
The agency acknowledges MFA implementations can be challenging and encourages IT leaders to prioritize their organization’s adoption of phishing-resistant MFA in phases.
Start with resources of most value and often targeted by threat actors, including email systems, file servers and remote access systems that provide access to corporate data.
Organizations should also prioritize the implementation of phishing-resistant MFA for high-value targets, such as executives or other employees that have additional access or privileges, which are especially valuable to threat actors, according to CISA.
“If a cyberthreat actor can compromise the account of a system administrator, they may be able to access any system and any data in the organization,” the agency said in the guidance.
Attorneys and employees in human resources also might have access to personnel records, which need to be accounted for in prioritization schemes.
While some products may not support the phishing-resistant MFA safeguards, CISA advises organizations to first focus on services, such as hosted mail platforms, that do support them.
Larger organizations will find it difficult and impractical to train, enroll and support all users at once, so it’s best to roll out phishing-resistant MFA in phases, according to CISA. Businesses will also encounter resistance among some employees that find MFA a nuisance, so it’s pertinent that security leaders explain the risks and how phishing-resistant MFA can bolster defenses.
CISA urges all organizations to implement phishing-resistant MFA and has multiple resources available online to help guide IT teams through the process.
