With the tech world still reeling from the impact of the FBI and CISA revelations around Salt Typhoon’s infiltration of U.S. networks and the warning to stop sending texts, CISA, the U.S. federal cyber defense agency, has now followed up with deeper guidance for U.S. officials that—as ever with CISA—should be adopted more widely.
Unsurprisingly, the advice leads with a mandate to “use only end-to-end encrypted communications… such as Signal or similar apps.” Users are urged to use apps that are “compatible with both iPhone and Android operating systems, allowing for text message interoperability across platform,” ruling out Google Messages and iMessage.
2FA/MFA is clearly an absolute as well. This needs to be “FIDO phishing-resistant authentication,” which means something linked to authenticated user hardware allowing for some physical form of authentication. “Where feasible, hardware-based FIDO security keys, such as Yubico or Google Titan, are the most effective; however, FIDO passkeys are an acceptable alternative.”
What is clear is SMS is not acceptable, even for temporary, one-time passcodes. “Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals.” CISA notes that some platforms use SMS in the sign-up process, which is acceptable. But ongoing access must use a different form of 2FA/MFA.
Other advice includes locking phones, SIMs and carrier services (such as voicemail) with a PIN wherever available. “This PIN is required for logging into your account or completing sensitive operations, such as porting your phone number—a critical step in countering SIM-swapping techniques.”
The Android and iPhone specific advice is more acute. In addition to ensuring that your OS is always updated when such updates are released, CISA also advises senior officials to adopt iPhone’s Lockdown Mode and iCloud Relay. If using Android, there are even more recommendations—safe browsing, specific OEMs/models known to be secure and with long-term security updates, Play Protect and a careful assessment of app permissions that are granted to installed apps.
SMS has long been decried as an insecure form of 2FA/MFA, albeit better than nothing. The accelerated deployment of passkeys, as seen with Microsoft’s latest push to delete passwords altogether will address this problem. Meantime, using an authenticator app on your device is getting ever easier, and Apple’s new Passwords app has added advanced password management into the OS itself.
