Based on the CISA Cross Sector Cybersecurity Performance Goals
Phishing-Resistant Multifactor Authentication (MFA) (2.H) section as defined:
TTP or Risk Addressed:
- Brute Force (T1110)
- Remote Services - Remote Desktop Protocol
(T1021.001) - Remote Services - SSH (T1021.004)
- Valid Accounts (T1078, ICS T0859)
- External Remote Services (ICS T0822)
Scope:
- IT and OT assets with remote access, such as workstations and human-machine interfaces (HMIs), where safe and technically capable
Recommend Action:
Organizations implement MFA for access to assets using the strongest available method for that asset (see below for scope). MFA options sorted by strength, high to low, are as follows:
- Hardware-based, phishing-resistant MFA (e.g., FIDO/WebAuthn or public key infrastructure (PKI) based - see CISA guidance in” Resources”).
- If such hardware-based MFA is not available, then mobile app-based soft tokens (preferably push notification with number matching) or emerging technology such as FIDO passkeys are used.
- MFA via short message service (SMS) or voice only used when no other options are possible.
- IT: All IT accounts leverage MFA to access organizational resources. Prioritize accounts with highest risk, such as privileged administrative accounts for key IT systems.
- OT: Within OT environments, MFA is enabled on all accounts and systems that can be accessed remotely, including vendors/maintenance accounts, remotely accessible user and engineering workstations, and remotely accessible HMIs.
We support all of the Recommended Actions in Phishing-Resistant Multifactor Authentication (MFA) (2.H) as shown below for both IT, OT, air gapped and air gapped cloud.
Furthermore, we have implemented several essential security enhancements to the item 2. These include:
1. OTA (Over-the-Air) digital signing combined with optional username/password authentication for secure provisioning of mobile devices. This method ensures that sensitive information is not stored in QR codes.
2. We have introduced configurable push authentication fatigue settings to prevent users from unintentionally granting unauthorized access. If any abuse is detected, the system will automatically disable the token involved.
3. To verify user identity, we have implemented push authentication with FIDO (Fast Identity Online), which provides strong protection against phishing attacks and eliminates the need for passwords. Companies have the flexibility to choose between Yes/No push for non-administrative accounts and FIDO push authentication for administrative/privileged accounts. Alternatively, FIDO push authentication can be used for all users.