Passwordless authentication seems to be the talk of the cybersecurity world as of late! Going passwordless is a great way to bolster your organization’s cybersecurity posture due to the problems with using passwords and general inefficiencies of other authentication methods. While passwordless authentication is known as the most secure form of authentication out there, is it unphishable?
First things first, it’s important that we clearly define what exactly it means to be unphishable. An unphishable credential is a secure key that attackers – as you might have guessed – cannot phish. This is because of their ingenious design, which allows authentication without needing to share the private key. With unphishable MFA, you can never be tricked into giving up your key. Phishing attacks are possibly the most recognized form of cyberattacks in the world, so being able to use an authentication method that simply cannot be phished is a massive boon to the cybersecurity landscape.
Now that we know what it means to be considered unphishable, we need to determine whether or not going passwordless is unphishable. The three methods of passwordless authentication are phone authentication, smartcards, and FIDO2 keys; unfortunately, not all of these methods are unphishable.
Everyone seems to absolutely love their smartphone, but do you know who loves them even more than the rest? Hackers. That’s because phone authentication, although it is passwordless, is not unphishable. Let’s say you’re using your cell phone and you’re bombarded with push notifications that say things like, “Is this you logging in?” You’re not sure what’s going on and you suddenly get a call from someone claiming to be your organization’s IT department, and they tell you that they are running routine maintenance and that you should just click “Yes” on one of the push notifications to make them go away. Thinking that you just spoke to IT, you oblige and click “Yes”. Congratulations, you’ve just been phished. Scenarios like this are, sadly, all too common with users utilizing phone authentication, hence why it is unphishable and considered the least effective form of passwordless authentication.
So, if phone authentication isn’t safe from phishing attacks, what form of passwordless authentication is? For starters, smartcard authentication is. The reason for smartcard authentication being deemed unphishable is because it is designed to provide robust, secure authentication that is tied to the user’s device that they are using to authenticate; as such, it is unequivocally impossible for the user to unwillingly reveal their login credentials.
Luckily, if your organization is using FIDO2 keys for passwordless authentication, you can rest easy knowing you are, in fact, using an unphishable credential. FIDO2 keys are considered to be unphishable because, much like with smartcard authentication, they offer strong and secure authentication that is directly linked to the user’s device. How is FIDO2 different from smartcard authentication, then? Put simply, FIDO2 authentication is a newer technology than smartcard authentication that uses less infrastructure than smartcard authentication to thus simplify the smartcard authentication process. Check out this blog for a more detailed look at the difference between FIDO2 and smartcard authentication.
If you’re still on the fence about whether to go passwordless at your organization, allow us to try to put your mind at ease. The idea of removing passwords altogether is a tough one to wrap your head around – we get it. However, we also get that passwords pose major cybersecurity problems. Did you know that in 2021 alone, hackers leaked over 6 billion credentials online and that over 60 percent of data breaches were a result of stolen credentials? Sadly, those statistics are merely the tip of the icebergs. As it stands right now, passwords are passé. Implementing passwordless authentication is your organization’s best shot at achieving safe, simple authentication. Feel free to schedule a FREE consultation with one of our passwordless experts here to see just how much going passwordless can improve your cybersecurity posture.