Phishing resistant MFA - the new normal

Although there are still many organizations not using MFA to authenticate their users, even those that are using it are now vulnerable to the latest phishing techniques.

Starting from 2021 and on to 2022, Microsoft and other vendors have noticed increasingly sophisticated phishing-as-a-service kits used to target MFA-enabled accounts in SaaS services such as Microsoft365.

Simply put, threat actors have learned not only how to harvest the username and password, but also the one-time codes produced by their mobile phone’s authenticator app.

For organizations where MFA does not involve one-time codes to be entered into the application login prompt, but relies on mobile phone push notifications, attackers have developed the so called Push bombing technique (also known as push fatigue or prompt bombing). In this case, threat actors bombard a user with push notifications until they press the “Accept” button, thereby granting the threat actor access to the network.

It's time for phishing resistant MFA or at least - number matching

There are two broad ways to address MFA phishing.

First, if using push notifications, augment MFA with number matching. This will tackle the problem of MFA push bombing.

Number matching is a setting that forces the user to enter a number displayed in the push notification into their app to approve the authentication request. In this scenario, users cannot approve push requests without entering the numbers on the login screen. Number matching makes it impossible for users to accept the prompt in the push notification, without knowing the numbers. This mitigation essentially combines one-time passwords with push notifications.

MFA vendors support number matching features under a variety of brand names. A few common examples include Microsoft Number Matching, Duo Verified Push, Okta TOTP.

The second approach is to use proper phishing-resistant MFA implementations relying on public key cryptography, which can be:

1. FIDO/WebAuthn Authentication

2. PKI-based MFA

FIDO/WebAuthn Authentication is easier to implement and avoids the burden of administering a PKI infrastructure. The FIDO Alliance originally developed the WebAuthn protocol as part of FIDO2 standards and is now published by the World Wide Web Consortium (W3C). WebAuthn support is included in major browsers, operating systems, and smart phones. WebAuthn works with the related FIDO2 standard to provide a phishing-resistant authenticator. WebAuthn authenticators can either be:

• separate physical tokens (called “roaming” authenticators) connected to a device via USB or near-field comms (NFC), or

• embedded into laptops or mobile devices as “platform” authenticators (for ex. supported by Windows OS Hello feature).

The other phishing resistant approach is to use PKI-based MFA, which usually comes in the form of smart cards (or USB PKI token) that store the user’s private key in a security chip, and the card must be directly connected to a device for the user to log into the system (with the correct PIN). Although PKI-based MFA provides strong security, it is hard to administer and maintain, making it a sensible solution only for the largest and most complex organizations.