How to Meet Phishing-Resistant MFA

Incorporating multi-factor authentication (MFA) as a fundamental security measure for your organization is now considered standard practice. It’s a sensible decision to utilize MFA. The bigger question is, what type of MFA is best for your organization? The recent social engineering MFA bombing attacks (or push bombing as defined by CISA, the US Cyber Infrastructure Security Agency) have raised concerns about which MFA method businesses should select. FIDO and PKI Certificate-Based Authentication (PKI CBA) have emerged as the go-to options for taking a phishing-resistant approach to MFA; various directives and regulations mandate their use ¹.

However, these requirements raise further concerns, especially for organizations that must maintain and protect legacy systems supporting only PKI CBA and modern apps supporting FIDO. How can we combine the best of two worlds in a single phishing-resistant MFA solution?

From MFA to Phishing-Resistant MFA

The MFA bombing attacks, like the ones against Reddit or Uber, do not mean that MFA is ineffective. Any MFA is much better than no MFA, as a recent advisory from CISA highlighted. MFA bombing or MFA fatigue attacks demonstrate the limitations of simple two-factor or multi-factor authentication. In these attack scenarios, the attackers send out repeated targeted phishing attacks to employees until someone gets tired of the notifications and gives up their credentials and the one-time password token.

These attacks also mean businesses should be cautious about their choice of MFA method. Some MFA implementations present proven technical flaws (such as the SS7 protocol vulnerability for SMS). In contrast, others are susceptible to phishing attacks and human mistakes (such as SIM swapping and push bombing).

To ensure the utmost security, MFA should imp

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.