Implementing Phishing-resistant MFA

Phishing attacks continue to make news around the country. Businesses of all sizes have fallen prey, suffering damaged reputations and potentially losing millions of dollars.

Before the year 2022 has even concluded, a SlashNext phishing report found there had already been 255 million phishing attacks detected in the year, a 61% increase over the previous year. The SlashNext report notes that zero-hour threats are spiking, representing 54% of all detected threats. A zero-hour (or zero-day) threat is one that hasn’t been seen before and doesn’t match any known malware signatures, making it much more difficult, or even impossible to detect by traditional signature-matching solutions.

 According to the report, the industries most often targeted are:

  1. Healthcare
  2. Professional and scientific services
  3. Information technology
  4. Construction and engineering
  5. Finance and insurance

The most common method for zero-hour phishing threats was credential stealing, representing 76% of detected attacks. Recent headlines showcase how common human error is in data breaches. Bed Bath and Beyond recently disclosed that it had data accessed without authorization after an employee was phished. Michigan Medicine notified more than 33,000 patients that their health data may have been compromised after a phishing attack resulted in employees giving up their login information.

The Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to implement multifactor authentication (MFA) strategies that are more resilient to phishing attacks. Not all MFAs are created equal. Less phishing-resistant MFA policies are more likely to fail at blocking one of the following cyber-attacks:


Phishing is a form of social engineering in which cyber threat actors use email or malicious websites to solicit information. For example, in a widely used phishing technique, a threat actor sends an email to a target that convinces the user to visit a threat actor-controlled website that mimics a company’s legitimate login portal. The user submits their username, password, and the 6-digit code from their mobile phone’s authenticator app.

Push bombing (also known as push fatigue)

Cyber threat actors bombard a user with push notifications until they press the “Accept” button, thereby granting threat actor access to the network.

Exploitation of SS7 protocol vulnerabilities

Cyber threat actors exploit Signaling System No. 7 (SS7) protocol vulnerabilities in communications infrastructure to obtain MFA codes sent via text message (SMS) or voice to a phone. SS7 is a set of protocols that allows phone networks to exchange the information needed for passing calls and text messages between each other.

SIM Swap

SIM Swap is a form of social engineering in which cyber threat actors convince cellular carriers to transfer control of the user’s phone number to a threat actor-controlled SIM card, which allows the threat actor to gain control over the user’s phone.

Here is information on some different MFA options, listed from most to least secure.

Phishing-resistant MFA options

Considered the MFA gold standard, these options provide the best phishing defense. They are not applicable to push bombing, SS7, and SIM swap attacks.

FIDO/ WebAuthn authentication

The only widely available phishing-resistant authentication is FIDO/WebAuthn authentication. The FIDO Alliance originally developed the WebAuthn protocol as part of FIDO2 standards and is now published by the World Wide Web Consortium (W3C). WebAuthn support is included in major browsers, operating systems, and smartphones. WebAuthn works with the related FIDO2 standard to provide a phishing-resistant authenticator. WebAuthn authenticators can either be:

  • Separate physical tokens (called “roaming” authenticators) connected to a device via USB or near-field comms (NFC),
  • Embedded into laptops or mobile devices as “platform” authenticators.

In addition to being “something that you have,” FIDO authentication can incorporate various other types of factors, such as biometrics or PIN codes. FIDO2-compliant tokens are available from a variety of vendors.

PKI-based MFA

A less widely available form of phishing-resistant MFA is tied to an enterprise’s PKI. PKI-based MFA comes in a variety of forms; a well-known form of PKI-based MFA is the smart cards that government agencies use to authenticate users to their computers. PKI-based MFA provides strong security and is sensible for large and complex organizations.

However, successfully deploying PKI-based MFA requires highly mature identity management practices. It is also not as widely supported by commonly used services and infrastructure, especially in the absence of SSO technologies. In most PKI-based MFA deployments, a user’s credentials are contained in a security chip on a smart card, and the card must be directly connected to a device for the user to log into the system (with the correct password or PIN). The U.S. government’s personal identity verification (PIV) card and common access card (CAC) are examples of PKI-based MFA.

App-based Authentication

These app-based authentication MFAs are resistant to push bombing but vulnerable to phishing. They are not applicable to SS7, and SIM swap attacks.

One-time Password (OTP)

App-based authenticators verify a user’s identity either by generating OTP codes or by sending “push” pop-up notifications to the mobile application.

Mobile push notification with number matching

In mobile push notification, the user accepts a “push” prompt sent to the mobile application to approve an access request. When number matching is implemented, there is an additional step between receiving and accepting the prompt: the user is required to enter numbers from the identity platform into the application to approve the authentication request. See CISA fact sheet Implement Number Matching in MFA Applications for more information.

Token-based OTP

Token-based authenticators verify a user’s identity by generating OTP codes that the user enters to prove possession of the token.

Authentication via an app- or token-based OTP or mobile push with number matching is the best option for small- and medium-sized businesses that cannot immediately implement phishing-resistant MFA.

The following app-based MFA is vulnerable to push bombing attacks as well as user error:

Mobile application push notification without number matching

In a standard mobile app push notification without number matching, the user opens and accepts a “push” prompt sent to the mobile application to approve an access request. There is no additional step between receiving and accepting the prompt.

SMS or Voice

SMS or voice MFA works by sending a code to the user’s phone or email. The user then retrieves this second-factor code from their text or email inbox to use for login authentication.

Vulnerable to phishing, SS7, and SIM swap attacks, SMS or voice MFA should only be used as a last resort MFA option. However, it can serve as a temporary solution while organizations transition to a stronger MFA implementation.

Train Your Employees

A phishing-resistant MFA system can go a long way to protecting your organization from attacks, but human error can still lead to vulnerabilities. A thorough cybersecurity training program that includes multiple phishing campaigns annually will help your employees spot phishing attempts and avoid taking the bait.

CompliancePoint offers a full suite of cybersecurity services that will help your organization better defend itself from cyber-attacks, including cyber risk assessments and breach readiness assessments. Contact us at to more about how we can help your business.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.