The Cybersecurity and Infrastructure Security Agency (CISA) has released a comprehensive advisory warning users against the risks of relying on Short Message Service (SMS) for multi-factor authentication (MFA).
This recommendation form a central part of CISA’s new “Mobile Communications Best Practice Guidance,” which aims to strengthen the security of mobile communications, particularly for individuals targeted by sophisticated cyberattacks.
The advisory, released on December 18, 2024, comes amidst increasing cyber threats, particularly from state-sponsored actors targeting sensitive communications.
“SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals,” states the advisory, underscoring the agency’s call for safer alternatives like Fast Identity Online (FIDO) authentication protocols.
Related: Critical Microsoft MFA Loophole Exposed Millions of User Accounts
Why SMS MFA is Vulnerable
SMS-based MFA has long been a popular choice for securing online accounts due to its simplicity and widespread adoption. However, CISA identifies two major vulnerabilities that make SMS MFA inadequate for modern cybersecurity challenges.
First, SMS messages are transmitted in plaintext, making them susceptible to interception by attackers who have gained access to telecommunications networks. Second, SMS MFA lacks phishing resistance, meaning threat actors can easily deceive users into sharing their authentication codes through fraudulent messages or websites.
Related: AWS Debuts Incident Response Service Amid Skyrocketing Cyber Threats
These vulnerabilities have been exploited by state-sponsored actors, particularly those linked to China. Such actors have targeted telecommunications infrastructure to intercept SMS messages and compromise sensitive accounts.
In its advisory, CISA warns that high-risk individuals, such as government officials and critical infrastructure personnel, are particularly vulnerable to these forms of attack.
The Transition to Phishing-Resistant Authentication
To address these risks, CISA recommends transitioning to phishing-resistant MFA methods, with a strong emphasis on FIDO authentication. FIDO protocols leverage cryptographic keys to authenticate users without transmitting sensitive data over insecure networks.
Hardware-based security keys, such as Yubico or Google Titan, are highlighted as the most robust option, though FIDO passkeys—digital cryptographic credentials—are also deemed acceptable alternatives.
“Once enrolled in FIDO-based authentication, disable other, less secure forms of MFA,” the guidance advises. This ensures that fallback options, such as SMS, do not inadvertently create exploitable vulnerabilities.
Related: Microsoft Updates Windows 11 WebAuthn APIs to Enable Third-Party Passkeys
Broader Recommendations for Mobile Security
In addition to advising against SMS MFA, CISA’s guidance provides a range of best practices for securing mobile communications. These include adopting end-to-end encrypted messaging platforms, such as Signal, to ensure that communications remain private and protected.
Regularly updating device software is also critical, as updates often include patches for known vulnerabilities. CISA further recommends using password managers to generate and securely store unique passwords, thereby reducing the risk of account compromise due to weak or reused credentials.
The advisory also warns against the use of personal virtual private networks (VPNs), stating that they can shift vulnerabilities from internet service providers to VPN providers. Instead, organizations are encouraged to use enterprise-grade solutions when VPN access is required.
Related: AI-Driven Malware: How Fake Apps and CAPTCHAs Target Windows and macOS Users
Understanding FIDO Authentication
Fast Identity Online (FIDO) authentication represents a significant advancement in account security. Unlike traditional MFA methods, FIDO relies on public key cryptography to authenticate users.
When a user registers a device, a private cryptographic key is generated and stored securely on the device, while a corresponding public key is stored on the server. During login, the device signs a server challenge using the private key, ensuring that sensitive information never leaves the device.
This method provides robust protection against phishing and man-in-the-middle attacks, making it an essential tool for safeguarding high-value accounts. By eliminating the need for transmitted codes, FIDO authentication addresses the core vulnerabilities inherent in SMS MFA.
The Broader Cybersecurity Context
CISA’s guidance is part of a larger effort to address growing threats from state-sponsored cyber actors. In recent years, malicious campaigns targeting telecommunications infrastructure have increased, allowing attackers to intercept private communications and exfiltrate sensitive data.
The guidance specifically targets individuals in high-risk roles, such as senior government officials and corporate executives, who are often the focus of these advanced cyberattacks.
“Highly targeted individuals should assume that all communications between mobile devices are at risk of interception or manipulation,” the guidance warns. This stark assessment reflects the evolving nature of cyber threats and underscores the importance of implementing stronger security measures.