CISA Endorses FIDO Passkeys: Protecting Against Telecommunication Network Interception.

The U.S. government's investigation into targeted attacks on telecommunications infrastructure has uncovered a significant cyber espionage campaign.

As a result, the CISA has released Mobile Communications Best Practice Guidance for high-risk individuals to help secure communications and accounts.

Joint Statement by FBI and CISA

‍

CISA strongly urges individuals to review and apply the best practices

Highly targeted individuals should assume that all communications between mobile devices—including government and personal devices—and internet services are at risk of interception or manipulation. To mitigate these risks, CISA recommends the following measures:

• Use only end-to-end encrypted communications: Secure messaging apps such as Signal and similar apps (e.g., WhatsApp) to ensure that only the intended recipients can access the communication.‍
• Enable Fast Identity Online (FIDO) phishing-resistant authentication: FIDO authentication employs the strongest form of multi-factor authentication (MFA) and is highly effective against MFA bypass techniques. Hardware-based FIDO security keys, such as Yubico or Google Titan, are the most effective option where feasible. However, FIDO passkeys are a good alternative for environments where hardware keys are impractical.
  • Take inventory of valuable accounts, including email and social media, to identify those where information leakage could benefit threat actors.
  • Enroll each account in FIDO-based authentication, prioritizing critical services like Microsoft, Apple, and Google accounts.
  • Once enrolled in FIDO-based authentication, disable other, less secure forms of MFA to minimize attack surfaces.‍
• ‍Migrate away from Short Message Service (SMS)-based MFA: SMS-based authentication is inherently vulnerable to interception and manipulation and should be replaced with more secure alternatives.
  • Do not use SMS as a second factor for authentication: SMS messages are not encrypted, making them susceptible to interception by threat actors with access to a telecommunication provider's network. This method also lacks phishing resistance, making it unsuitable for accounts belonging to highly targeted individuals.
  • Use authenticator apps for less critical accounts: For accounts that are less valuable, consider using authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy. While these are more secure than SMS, they remain vulnerable to phishing attacks and should be viewed as a transitional measure.
  • Disable SMS as a fallback: Once enrolled in a more secure MFA method, ensure that SMS is disabled as a backup. Many services default to SMS during account recovery, leaving an exploitable weak point that attackers can leverage.
  • Adopt phishing-resistant MFA: FIDO authentication remains the gold standard for account security, offering the highest level of protection against phishing and other forms of MFA bypass.

CISA Mobile Communications Best Practice Guidance