The number of phishing attacks has risen sharply; did you know that over 90% of businesses have reported that they have been targeted over the last year? For small businesses, relying solely on employee awareness and email filters isn’t enough. The answer? Unphishable credentials.
Simply put, unphishable credentials (also known as unphishable MFA) are secure keys that attackers, well, can’t phish. They are unable to be phished due to their design – their design enables authentication with the private key never once being shared. There are two types: FIDO2 and Smartcard. Both are designed to ensure safe authentication, but they work slightly differently.
Smartcard authentication is the oldest and most common method of unphishable authentication, and it is based on X509 certificate-based authentication.
Think of this as a digital ID. When someone gets a smartcard, it comes with a special certificate that acts like an ID card. Services can check this ‘ID card’ and trust its authenticity, and when the certificate is expired or revoked, the user will lose access to the system.
FIDO2 authentication is just a simpler version of smartcard authentication. Since many organizations were having trouble setting up a Certificate Authority, the FIDO (Fast Identity Online) Alliance created a system where the cryptographic key is registered with the identity provider losing the easy rotation of smartcards but removing the overhead of managing your own PKI.
Many businesses hesitate to adopt unphishable credentials due to misconceptions from incorrect or outdated information. Here are some common misconceptions regarding unphishable credentials and the truth behind them:
At first, the sign-in experience might seem different; however, once users get the hang of it, unphishable credentials have been found to be a whopping 4 times faster than traditional methods for logging in. Instead of juggling passwords and other devices, users simply connect their token and enter a PIN. The days of remembering long, complex passwords are finally gone.
There’s an upfront cost for hardware keys (around $40 each) and a monthly fee for managing them (around $2-4/user). But consider this: businesses often lose more money dealing with password resets and time spent talking to helpdesks. In the long run, unphishable credentials can save your small business a lot of money.
This is perhaps the biggest myth in all of cybersecurity. Not all security methods are created equal, but every MFA method is prone to phishing attacks – except for unphishable credentials. Unphishable credentials offer superior protection against various attacks that other methods can’t stop.
A study found that going passwordless can reduce account takeover by 99% and now with modern tools, you can be up and running in days (we have had small businesses be up and running 3 days after scheduling their assessment call). So, what are you waiting for? Schedule a free identity assessment with our identity experts today!
