November 2, 2022
CISA Issues Guidance on Numbers Matching and Phishing-Resistant Multifactor Authentication
What happened?
The Cybersecurity and Infrastructure Security Agency (“CISA”) published two fact sheets on October 31, 2022, outlining the dangers to accounts and systems when applying specific types of multifactor authentication (MFA). CISA recommends that firms use phishing-resistant MFA to combat phishing and additional cyber threats. Phishing-resistant MFA removes people from the authentication process and allows for the use of biometrics or security key devices to authenticate rather than push notifications on a mobile device.
Currently, the only widely available phishing-resistant authentication is FIDO/WebAuthn authentication. When a user creates an account, FIDO / WebAuthn authentication allows them to register their device and/or mobile device as a special token. Once the registration is complete, the device and website create a security key that is unique to the account. The website now “knows” and trusts the device, and going forward, only the device will be needed to login into the website.
If you are unable to implement phishing-resistant MFA, CISA advises firms to implement number matching as an alternative to lessen MFA fatigue. Number matching combines standard push notification MFA, requiring the user to enter or pick between a handful of numbers given to the requester.
To view the full fact sheet on implementing phishing-resistant MFA, click here.
What does this mean for me?
If you have any questions about phishing and multifactor authentication, Fairview Cyber can help. We provide essential cyber and data security services like phishing prevention training, internal and external vulnerability scans, vendor due diligence, and more. Contact us today for more information about our services.