Contact Us

Phishing Resistant Credentials – The Modern Security Blanket

Phishing Resistant MFA – Secure Authentication for Businesses in Entra ID and Microsoft 365
06 Feb 2024

Phishing Resistant MFA

Let’s explore how implementing phishing-resistant MFA for today’s modern workforce isn’t something that should wait and is an absolutely crucial move for any Security Engineer that takes IAM seriously. ..let’s start with a little (hypothetical) story…

Picture this: An employee at your company gets a seemingly routine call from an off-site IT specialist about a backend issue. The ‘fix’ involves updating their password via a provided link. It seems straightforward enough, but this simple act might just be a phishing scam in disguise, cleverly engineered to bypass traditional security measures. More and more hackers are using this relatively unsophisticated method to steal your organization’s credentials.

This isn’t a hypothetical situation but a real threat in today’s digital landscape. …remember the MGM breach? Cybersecurity isn’t just about protecting data; it’s about safeguarding your company’s integrity and trust. Data breaches are not just costly in terms of financial loss – which, according to IBM’s Cost of a Data Breach Report, averaged $4.24 million per incident in 2023 – but also in terms of reputational damage.

Traditional multi-factor authentication (MFA) is a step in the right direction but not foolproof. It’s vulnerable to sophisticated “MFA bypass” attacks, where attackers can procure usernames, passwords, and even MFA codes. These attacks are not mere theoretical risks but have been recorded in real-world incidents, even against organizations with robust security teams. Don’t believe us? Take a look back at some of the year’s biggest hacks of 2023.

This is where “phishing-resistant” MFA technologies, such as smartcards and FIDO2 security keys, come into play. Unlike regular MFA, these methods provide a physical barrier to phishing attacks. They work by creating a unique cryptographic handshake between the key and the service, rendering stolen credentials useless without the physical key. The adoption of these technologies is more than a security measure; it’s a necessity in an era where cyber threats are increasingly sophisticated.

Go Passwordless – A Call to Action

For CEOs and IT executives, the message is clear: Equip every employee with security keys. If you haven’t yet heard of them, or perhaps haven’t had time to investigate this technology, security keys are small external devices that either connect to your computer or phone through a port, a biometric or via Bluetooth to enable secure logins. Since only the key owner has physical access to their device, phishing scams don’t work, and even weak passwords have an extra layer of protection. Post-breach analysis often shows a spike in the adoption of these keys. The question arises – why wait for a breach? Proactive measures not only save costs but also reinforce your company’s commitment to security. Better safe than sorry, right?

Pro-tip for SaaS providers: Many of your customers were convinced to move their data to the cloud because they thought it would be more secure. They now expect you to take all the necessary precautions to keep their data safe. In other words, their security has now become your business –and your reputation. Cloud providers should go beyond making security keys available to staff and make it a company-wide policy mandate. Those little keys could be the difference between a failed attack and one that exposes your customers’ data.

However, implementing phishing resistant MFA organization-wide isn’t without challenges. Common roadblocks include resistance to change and a lack of understanding about technology. At Keytos, we provide comprehensive phishing-resistant implementation guides, videos, webinars like the one below, and documentation designed to address these issues. It’s our goal to provide a roadmap for smooth integration into your existing security framework.

In an era where even well-trained employees can fall prey to sophisticated cyberattacks, traditional training and security measures are insufficient. Security keys offer a tangible, effective solution, turning a potential breach into a failed attempt. Their adoption isn’t just about upgrading technology; it’s about evolving your security mindset and practices. For further insights and data, I recommend exploring resources from the FIDO Alliance and CISA’s initiatives, including the informative “More than a Password” program and Director Jen Easterly’s insights on FIDO Authentication. These resources offer valuable information on the latest in cybersecurity trends and prevention strategies.

How to Get Started with Phishing Resistant Credentials?

Certificate-based authentication is the best way to meet executive order 14028 and protect your organization by using passwordless unphishable credentials. CBA relies on X.509 certificates. These certificates must be provided by a recognized Certificate Authority (CA) . …fun fact, EZCA by Keytos is on the list! You may be thinking, “Hey! Why do I need a 3rd party PKI tools for this?” Well, Unfortunately (and in typical Microsoft fashion), Microsoft does not offer a built-in, native CA. Look at our ultimate guide on how to go passwordless to learn more about how you can turn this into a DIY project using our proprietary technology!

Talk to the Unphishable Experts

Still not really sure you’re ready to tackle this project? No worries! Use this link to schedule some time to speak with our Identity experts at your convenience. The team at Keytos prides itself on making passwordless authentication achievable for anyone! We’re certain a quick chat with the team will help put you at ease when it comes to taking the next step in your organization’s path towards zero trust! In the meantime, have a look at some of our recommended reading to learn more about creating unphishable credentials for your organization.

You Might Also Want to Read