CISA Releases Guidance on Phishing-Resistant and Numbers Matching Multifactor Authentication

The Cybersecurity and Infrastructure Security Agency (CISA) released a released two fact sheets to give IT leaders and network defenders an improved understanding of current threats against accounts and systems that use multifactor authentication (MFA), “Implementing Phishing-Resistant MFA” and “Implementing Number Matching in MFA Applications.”

Because not all forms of MFA are equally secure, the phishing-resistant fact sheet informs organizations and users of the threats to MFA and how to implement the most secure form of MFA. CISA also published an infographic of the hierarchy of MFA options that is available on, which shows phishing-resistant MFA as the strongest choice.

For small- and medium-size business that cannot immediately implement phishing-resistant MFA, the fact sheet on implementing number matching provides guidance for organizations to mobile push with number matching as an interim option. While “number matching” MFA is a great interim mitigation, CISA encourages organizations to develop plans to migrate to phishing resistant MFA.

As part of long- and intermediate-term plans to apply Zero Trust principles, CISA encourages all organizations to implement phishing-resistant MFA. CISA recommends that organizations identify systems that do not support MFA and develop a plan to either upgrade these systems to support MFA or migrate to new systems that support MFA.

In the past year, CISA has seen bypass attacks on MFA increase and intensify. However, we only have heard about some of these bypass attacks because the attackers went public. All organizations should share information on incidents and anomalous activity to CISA 24/7 Operations Center at or Report | CISA and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or

CISA has updated with this new guidance along with the infographic. Your support to amplify this information on using MFA through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration.


Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
Cell:  217-299-3954 |