Let’s cut right to the chase – if you want your organization’s cybersecurity posture to rival that of any organization in the world, phishing-resistant MFA is the way to go. Why? With unphishable MFA, there are no passwords for hackers to steal! We wrote a whole blog on all of the problems with passwords if you want to check it out, but the most important problem is this – passwords are easily stolen! No matter what steps you take to make a password “strong,” there are always hackers who can take it from you.
That’s where phishing-resistant MFA (or, unphishable MFA) steps in. With phishing-resistant MFA, you don’t use a password to log in; rather, you use something you have (e.g., your phone, a YubiKey) and something you know/are (e.g., a PIN, your fingerprint, your face). No password necessary! There isn’t a hacker on Earth who can steal your information this way – we’ll just have to hope the alien hackers haven’t figured out a way yet, though.
Two of the most interesting technologies pushing phishing-resistant MFA are Entra CBA and FIDO2. Let’s learn more, shall we?
Entra CBA (Certificate-Based Authentication), formerly known as Azure CBA, is essentially just Microsoft’s reaction to smartcard authentication being considered too challenging. Entra CBA allows users to login via client certificates – Entra AD (Active Directory) sends a token to your device that your device then uses to authenticate you. What all this does is it eliminates the complex, convoluted setup involving ADFS servers, MIM CM, Microsoft CAs, HSMs, CRLs, and domain controllers…just to name a few.
Much like Entra CBA, FIDO2 is a direct response to the difficulty of setting up smartcard authentication. FIDO2 allows users to login without needing a password! Instead, users can utilize biometrics, mobile devices, or their FIDO2 security key. Though we may be a tad biased as a FIDO Alliance member, this is a great way to curtail phishing attempts from those nasty bad guys.
That’s right – not only is unphishable MFA miles more secure than password-based MFA, but it is also up to 4x faster than using passwords! That’s because you and your users never need to triple-check that you typed out that pesky “special character” or wait around for a push notification with a one-time-use access code again. All you need to use is your fingerprint, face, or hardware key. As it turns out, removing ways for hackers to phish you eliminates a lot of wasted time! Talk about a win-win!
Did you know that you could finish watching grass grow and paint dry in the amount of time that your IT helpdesk spends on password resets each year? While that might not be scientifically accurate, the point still stands – IT helpdesks spend way too much time on password resets. It’s not just time that’s being lost – did you know that each password reset costs you $70? That’s like buying a brand-new video game for your niece or nephew every single time one of your employees needs to reset their password.
The solution? Use a self-service onboarding tool instead! Self-service onboarding tools like EZCMS allow your users to quickly and painlessly validate their identity and make their phishing-resistant tokens in mere minutes, all without ever needing to bug your helpdesk!
We’re glad you asked! If you’re considering implementing unphishable MFA within your organization, check out the EZCMS homepage for more information on how our solution can help alleviate the pains of deployment and onboarding. If conversations are more your style, feel free to schedule a FREE consultation with one of our identity experts to see how Keytos can help your organization.