Commercial Routing Assistance
Implementing Phishing-Resistant MFA
CISA | DEFEND TODAY, SECURE TOMORROW
@CISAgov | @cyber | @uscert_gov
Linkedin.com/company/cisagov
AREAS OF FOCUS FOR IMPLEMENTING PHISHING-RESISTANT MFA
Prioritizing Implementation Phases
CISA recommends an organization’s IT leadership consider the following questions to help prioritize the
migration to phishing-resistant MFA into logical phases:
• What resources do I want to protect from compromise? For example, cyber threat actors often target
email systems, file servers, and remote access systems to gain access to an organization’s data. They
also try to compromise identity servers like Active Directory, which would allow them to create new
accounts or take control of user accounts.
• Which users are high-value targets? While the compromise of any user account can create a serious
security incident, every organization has a small number of user accounts that have additional access
or privileges, which are especially valuable to cyber threat actors. For example, if a cyber threat actor
can compromise the account of a system administrator, they may be able to access any system and
any data in the organization. Other examples of high-value targets are attorneys—who may have e-
discovery permissions to read email, including deleted email, of staff members—or HR staff, who may
have access to personnel records.
Common Issues and Paths Forward
When starting their deployment of phishing-resistant MFA, organizations run into common stumbling blocks.
Common issues and possible paths forward include:
• Some systems may not support phishing-resistant MFA. Perhaps the product is no longer supported by
the vendor, or the vendor has not yet prioritized the work to implement phishing-resistant MFA.
Regardless, CISA encourages organizations to first focus on the services that do support phishing-
resistant MFA, e.g., most hosted mail and SSO systems support FIDO; these systems are good starting
points because the data is valuable, and the vendors likely support FIDO.
• It may be difficult to deploy phishing-resistant MFA to all staff members at once. For example, it may be
impractical to train, enroll, and support all users at the same time or there may be other operational
considerations that prevent the organization from rolling out phishing-resistant MFA to some groups in
the first phase. Consider which groups might be appropriate for an initial phase, e.g., help desk and IT
system administrators. Later phases can expand from there, incorporating lessons learned from the
earlier phases.
• There may be concerns that users will resist a migration to phishing-resistant MFA. IT security
leadership should present the risks associated with not having MFA—or with deploying or maintaining
potentially vulnerable MFA—to the organization’s top leadership for approval. Should the organization’s
senior leadership decide that the risk of not using phishing-resistant MFA is too great, they are best
positioned to manage cultural and communications challenges to implementation.
RESOURCES
• For more information on MFA, see CISA’s MFA webpage, CISA’s MFA factsheet, and CISA’s Capacity
Enhancement Guide: Implementing Strong Authentication.
• See the FIDO Alliance’s User Authentication Specifications for information on FIDO2 authentication
specifications: FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework
(FIDO UAF), and the Client to Authenticator Protocols (CTAP).