- Nov 4, 2022

MFA Best Practices, Follow New Guidelines

Cybersecurity Guides - Cybersecurity News

As with everything in Cybersecurity, bad actors will find a way to exploit anything, so although MFA significantly improves security, nothing is perfect. CISA released a great article on current threats and new recommendations for MFA, specifically to defend against push-bombing.

MFA Best Practices

First and foremost, it is absolutely critically that MFA is enabled and properly configured for ALL SaaS applications and websites where it is available. This applies to all business use but personal as well. Don't take any chances, no matter how long or clever your password is, or even if you don't think there is particularly sensitive information.

CIS Control 06, Access Control Management, covers the application and recommendations of MFA. There are three key categories that are called out to ensure MFA is in use.

MFA should be enforced for ALL SaaS applications.
MFA should be enforced for ALL Remote Access services.
MFA should be enforced for ALL privileged/administrator account use, including on-premise servers and applications.

When setting up MFA there are a few very important recommendations to ensure it is working as it should:

Using an authenticator app is recommended. You should not be using SMS or Email unless those are the only supported options.
When setting up the authenticator app, using a One-Time Passcode (OTP) or random token is the best option. This is the randomly generated number option, which must be accessed from the app, and is only valid for a short period of time. This forces you to manually enter the number in when authenticating.
Make sure the authenticator app is protected with a password or biometric authentication itself. If your phone is unlocked and someone gets a hold of it, you don't want someone else being able to approve an MFA request.
Make sure MFA is enforced by a global policy. You do not want to leave the option open for users to disable MFA whether on purpose or by accident. For example, in Office 365, use a conditional access policy to enforce that users have MFA enabled or they cannot access their accounts.
In order to properly oversee and centrally manage MFA, you can tie all authentication back to a Single Sign-On (SSO) provider. This ensures access and policies are consistent across the organization and between different services/applications.
Make sure you set a reasonable re-authentication period for MFA prompts (after the first sign-in). Depending on the criticality of the system and the sensitivity of the data being accessed, this could be anywhere from forcing MFA every day or upwards of 2 weeks. All applications will force the MFA prompt on the first sign-in, but then they may cache the session, and not prompt again for a pre-defined amount of time. Office 365 is an example of a service that does this.

As we alluded to before, there are many threats and potential weaknesses with MFA. The CISA article referenced discusses these (link below).

Phishing - Phishing is a form of social engineering in which cyber threat actors use email or malicious websites to solicit information. For example, in a widely used phishing technique, a threat actor sends an email to a target that convinces the user to visit a threat actor-controlled website that mimics a company’s legitimate login portal. The user submits their username, password, as well as the 6-digit code from their mobile phone’s authenticator app.
Push bombing (also known as push fatigue) - Cyber threat actors bombard a user with push notifications until they press the “Accept” button, thereby granting threat actor access to the network.
Exploitation of SS7 protocol vulnerabilities - Cyber threat actors exploit SS7 protocol vulnerabilities in communications infrastructure to obtain MFA codes sent via text message (SMS) or voice to a phone.
SIM Swap - SIM Swap is a form of social engineering in which cyber threat actors convince cellular carriers to transfer control of the user’s phone number to a threat actor-controlled SIM card, which allows the threat actor to gain control over the user’s phone.