CISA MFA Guidelines – Multi-Factor Authentication Battles Phishing

The CISA MFA Guidelines are out as the Cybersecurity and Infrastructure Security Agency battles phishing with multifactor authentication.

The CISA has published two fact sheets highlighting threats against accounts and systems using certain types of MFA. CISA recommends implementing multifactor authentication (MFA) to prevent phishing attacks.

The U.S. Computer Emergency Readiness Team (US-CERT) is part of the U.S. Department of Homeland Security’s National Protection and Programs Directorate (NPPD). US-CERT provides timely, relevant, actionable cyber security alerts to help protect federal civilian agencies and their mission-critical IT systems from

To prevent attacks from spoofing, CISA recommends using multifactor authentication (MFA) systems that use web browser technology such as FIDO2/WebAuthn and PKI.

For mobile apps, CISA mentions using one-time passwords (OTP), mobile pushes with number matching, and tokens for OTPs. SMS and voice MAF should use OTPs sent via phone calls or text messages.

What Else Was Covered In The CISA MFA Guidelines

CISA MFA guideliness for multi factor authenticationThe second factsheet released by the NIST provides additional information regarding threats and defenses against account and system security via mobile push notifications, including how MFA prompt works, how to protect yourself from threats, and best practice recommendations for implementing MFA with number matching.

The second document also provides insight into how attackers may attempt to compromise an organization’s mobile device management system by targeting its authentication servers and using stolen credentials to impersonate legitimate devices and applications from trusted vendors and services, including Google Play Services, Facebook Messenger, WhatsApp, Apple Pay, and others.

“To prevent phishing attacks, organizations must use two-factor authentication (2FA) methods, which include multi-step verification (MV), SMS/text message confirmation, etc.,” CISA explained, adding that, although these 2FA methods are better than no security at all, they are not foolproof.

“For example, if an attacker obtains a user’s password through social engineering, they could log into the account without needing additional credentials. Therefore, organizations should consider implementing a second layer of protection by requiring additional steps when logging in.”

Both Fact Sheets were released last week. They come weeks after a security researcher found a phishing campaign targeting Microsoft accounts.