What is ENISA saying about PUSH and OTP authentication?

European businesses are increasingly at risk because of the adoption of hybrid workforces and rapid digital transformation. Preventive security measures, such as multi-factor authentication that is resistant to phishing, are essential in light of the increasing severity and cost of cyberattacks.

Numerous guidelines have been made available by the European Union Agency for Cybersecurity (ENISA) to assist national infrastructure businesses in coordinating their efforts to comply with the Network and Information Systems (NIS) Security Directive. The most recent, "Boosting Your Organization's Cyber Resilience," was released in collaboration with CERT-EU and offers top tips for boosting cyber resilience for all European organizations and agencies.

An overview of the ENISA guidelines

The most notable clauses in the guidelines are those requiring multi-factor authentication (MFA) to protect all remotely accessible services. Organizations should not use voice calls and SMS as authentication methods by organizations, and they should think about "deploying phishing resistant tokens such as smart cards and FIDO2 (Fast IDentity Online) security keys" instead.

Multi-factor authentication should be used anytime an application supports it. "These include, but are not limited to, email access, company portals with external facing content, and VPN services." Finally, enterprises should ensure that users don't reuse passwords, and if an application allows multi-factor authentication (MFA), encourage them to do so (on social media, for instance).

The case for phishing-resistant MFA

Even though MFA typically guards against unwanted account access, not all multi-factor authentication techniques can defend against complex attacks. ENISA’s guidelines reflect those of the US National Institute of Science and Technology (NIST), which has recently briefed on the security of the various MFA methods.

Even though MFA is much more secure than any single factor user identity or memorized secret, MFA using (unencrypted) SMS/PSTN is considered vulnerable to attacks. Security professionals believe that SMS authentication is susceptible to SIM switching attacks and network interception. Studies have demonstrated that intercepting or redirecting SMS messages is becoming increasingly effective and doesn't cost or take much time. NIST SP 800-63-3 cites these vulnerabilities and has restricted the use of SMS/PSTN.

In addition, all MFA processes using shared secrets are vulnerable to phishing attacks. “Shared secrets don’t stay secret: Any MFA based on shared secrets can be phished,” notes NIST. Shared secret authenticators include memorized secrets, look-up secrets, out-of-band authentication (SMS/PSTN) including push notifications, one time passwords (OTP). However, it must be stressed that even though OTP is not phishing-resistant, it still offers higher security than SMS/PSTN authentication.

Optimize your MFA to meet your business needs

Due to its enhanced security, ENISA advises using phishing-resistant authentication. However, ENISA limited this suggestion by stating that more secure authentication should be employed "where possible." FIDO2 security keys or PKI smart cards are the two phishing-resistant tools currently that are readily accessible. However, organizations may be unable to deploy them for all use cases because of operational limits or practical issues with hardware management and provisioning.

IT complexity and various user demographics cannot be handled by a single kind of authentication. FIDO authentication is not supported by all applications, for instance. Therefore, to ensure secure access, alternative authentication techniques would be required. Some settings, like manufacturing floors or laboratories, don't allow mobile devices. In these situations, users would need to log in using an authentication technique that doesn't rely on mobile devices.

Many businesses have already adopted OTP hardware or OTP Push authentication. The idea of tearing out current implementations and replacing them can be intimidating for many businesses. PUSH OTP can be provided as an additional MFA technique for specific apps and users, even though it is not phishing-resistant. This depends on the user profile, the context, and the sensitivity of the data.

Additionally, there are ways to strengthen security using PUSH OTP or phone-based authenticator apps by combining PUSH OTP with conditional and contextual authentication, PUSH OTP with device-native biometrics, or by ensuring the integrity of the authentication through risk monitoring, end-point security, and anomaly detection.

How Thales can help you

Access security and multi-factor authentication are becoming increasingly important to lower the risk of data breaches and unauthorized access to sensitive resources, as shown by the ENISA publication. Thales SafeNet Trusted Access, which provides integrated access management and a wide variety of multi-factor, adaptive, and contextual identity validation methods, can help organizations comply with the guidelines requiring them to implement phishing-resistant multi-factor authentication mechanisms in order to achieve zero trust security.

Download our solution brief to learn how Thales access management and MFA solutions can help you meet the ENISA guidelines.