Contact salesSign inSign up

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Blog
/
Current article

CISA Endorses FIDO Passkeys: Protecting Against Telecommunication Network Interception.

Last Updated:
December 24, 2024
Ben Rolfe
CISA Endorses FIDO Passkeys: Protecting Against Telecommunication Network Interception.

The U.S. government's investigation into targeted attacks on telecommunications infrastructure has uncovered a significant cyber espionage campaign.

As a result, the CISA has released Mobile Communications Best Practice Guidance for high-risk individuals to help secure communications and accounts.

Joint Statement by FBI and CISA

CISA strongly urges individuals to review and apply the best practices

Highly targeted individuals should assume that all communications between mobile devices—including government and personal devices—and internet services are at risk of interception or manipulation. To mitigate these risks, CISA recommends the following measures:

  • Use only end-to-end encrypted communications: Secure messaging apps such as Signal and similar apps (e.g., WhatsApp) to ensure that only the intended recipients can access the communication.
  • Enable Fast Identity Online (FIDO) phishing-resistant authentication: FIDO authentication employs the strongest form of multi-factor authentication (MFA) and is highly effective against MFA bypass techniques. Hardware-based FIDO security keys, such as Yubico or Google Titan, are the most effective option where feasible. However, FIDO passkeys are a good alternative for environments where hardware keys are impractical.
    • Take inventory of valuable accounts, including email and social media, to identify those where information leakage could benefit threat actors.
    • Enroll each account in FIDO-based authentication, prioritizing critical services like Microsoft, Apple, and Google accounts.
    • Once enrolled in FIDO-based authentication, disable other, less secure forms of MFA to minimize attack surfaces.
  • Migrate away from Short Message Service (SMS)-based MFA: SMS-based authentication is inherently vulnerable to interception and manipulation and should be replaced with more secure alternatives.
    • Do not use SMS as a second factor for authentication: SMS messages are not encrypted, making them susceptible to interception by threat actors with access to a telecommunication provider's network. This method also lacks phishing resistance, making it unsuitable for accounts belonging to highly targeted individuals.
    • Use authenticator apps for less critical accounts: For accounts that are less valuable, consider using authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy. While these are more secure than SMS, they remain vulnerable to phishing attacks and should be viewed as a transitional measure.
    • Disable SMS as a fallback: Once enrolled in a more secure MFA method, ensure that SMS is disabled as a backup. Many services default to SMS during account recovery, leaving an exploitable weak point that attackers can leverage.
    • Adopt phishing-resistant MFA: FIDO authentication remains the gold standard for account security, offering the highest level of protection against phishing and other forms of MFA bypass.

CISA Mobile Communications Best Practice Guidance

Try out our passkey demo
Passkey Demo
Enable Your Users to Adopt CISA Mobile Communications Best Practice Guidance with Authsignal

Authsignal helps organizations comply with the CISA Mobile Communications Best Practice Guidance by offering drop-in phishing-resistant passkeys, strong MFA fallback methods, and  WhatsApp OTP as an encrypted and reliable alternative to SMS.

Integrate passkeys and MFA into any identity stack; Authsignal plugs into IDPs like Azure AD B2C, AWS Cognito, Auth0, Duende IdentityServer, and more.

✅ Use only end-to-end encrypted communications: Authsignal replaces SMS OTP with encrypted channels like WhatsApp OTP and passkeys.

✅ Enable Fast Identity Online (FIDO) phishing-resistant authentication: Authsignal enables millions of phishing resistant passkeys, uplifting security.

✅ Migrate away from Short Message Service (SMS)-based MFA: Authsignal helps reduce SMS reliance by 90%, cutting costs and improving security. Learn more.

Consider WhatsApp OTP as A Secure Alternative to SMS OTP

Organizations can benefit from leveraging WhatsApp to send OTPs for scenarios where SMS OTPs are traditionally used, reducing security risks and operational costs while maintaining a simlar user experience.

  • End-to-End Encryption: Unlike SMS, WhatsApp messages, including OTPs, are end-to-end encrypted, ensuring that only the intended recipient can view them.
  • Cost Savings: Using WhatsApp for OTP delivery can reduce costs significantly compared to traditional SMS charges, especially for international communications.
  • User Familiarity: With over 2 billion monthly active users worldwide, WhatsApp provides a familiar and accessible platform for secure OTP delivery.

Learn more about implementing WhatsApp OTP

Related Resources
Subscribe to our monthly newsletter
Subscribe
Related Resources
No items found.
Talk to an expertDemo PasskeysView docs
CISA
Passkeys
SMS one-time-password
Whatsapp OTP
You might also like
UX Best Practices for Passkeys: Understanding Device-Initiated Authentication
December 23, 2024
Passkeys differ from traditional username-based methods for passwordless sign-in and MFA. This article will guide you on how to create the most effective passkey experience for your users, focusing on web browsers as the platform.
UX Guidelines
Passkeys
Implementation
Add MFA to Keycloak using Authsignal: A Step-by-Step Guide
December 23, 2024
Authsignal offers an easy-to-integrate solution that simplifies the process of adding MFA to Keycloak.
Keycloak
Multi-factor authentication
Integration
Managing Authenticators
Authsignal in partnership with MATTR claims authentication world first, binding Mobile Driver’s License (mDL) to Palm Biometrics
December 23, 2024
Authsignal has launched a world-first solution that binds a mobile driver's license (mDL) with Palm Biometrics.
palm-biometrics
Press Release
Secure your customers’ accounts today with Authsignal.
Passkey demoCreate free account

Authsignal is multi-factor authentication (passwordless authentication) as a service. Focused on powering mid-market and enterprise businesses to rapidly deploy optimized good customer flows that enable a flexible and risk-based approach to authentication.

AICPA SOC
LinkedInTwitter
Passwordless / Multi-factor Authentication (MFA)
Pre-built UI (Low code)UI Components (Customizable)Custom UI (Flexible)
Drop-in Authentication
PasskeysBiometric AuthenticationWhatsApp OTPSMS OTPEmail OTPMagic LinksAuthenticator Apps (TOTP)Push NotificationsPalm Biometrics
Rules and Policies Engine
Step-up AuthenticationNo-Code Rule CreationRisk Alerts
User Observability
Audit Trails
Industries
Financial Services
Marketplace
FinTech
Crypto
View all Industries
Use Cases
Account Takeovers (ATO)
User Onboarding & Sign-up
SMS Cost Optimization
Fraud Protection
Existing Apps
View all Use Cases
Identity Providers (IDPs)
AWS Cognito
Auth0
Azure AD B2C
Duende IdentityServer
Keycloak
NextAuth.js
Open ID Connect (OIDC)
Ruby on Rails
Supabase
Coding Languages
C#
Node.js
PHP
Python
React
Ruby
Compare
Twilio vs AuthsignalAuth0 vs Authsignal
Resources
BlogDeveloper DocsSolutions MarketplaceKnowledge BaseFree Figma Mobile Passkeys TemplateFree Figma Desktop Passkeys TemplateFree Figma WebApp Passkeys TemplateAboutContact
What is
Passwordless Authentication
What is MFA (Multi-Factor Authentication)?
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2024 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies