Contact Us

Phishing Resistant MFA with YubiKey

Why use YubiKeys for phishing-resistant MFA with FIDO2 and SmartCard
25 Nov 2024

Unphishable MFA is the Way of the Future

The YubiKey 5 Series is arguably the most sophisticated tool for the everyday person when it comes to employing phishing-resistant MFA either personally or across an entire organization. While MFA can be a strong first-line of defense, not all forms of multi-factor authentication (MFA) are created equal. Legacy authentication such as usernames and passwords can be easily hacked, and mobile-based authentication such as SMS, OTP codes, and push notifications are highly susceptible to modern phishing attacks, malware, SIM swaps, and man-in-the-middle (MiTM) attacks.



While mobile authentication is relatively popular, there are also almost always edge cases of employees that can’t, don’t, or won’t use it. Not only can there be low cell coverage in certain geographic areas, employees also may not want to use personal devices for work, or don’t want to allow admin access to their devices. There may also be restrictions or compliance requirements, and some employees may not be able to even use a smartphone. Additionally, phone authentication isn’t phishing resistant, and If the fall-back option is usernames and passwords, this makes the organization even more vulnerable to phishing and account takeovers.



It’s for this reason that going passwordless and using a YubiKey as part of your unphishable MFA is one of the best ways to ensure your data stays safe. Let’s take a look at exactly how the YubiKey is the ideal method to employ when leveraging MFA.



What is Phishing-Resistant MFA?

Phishing-resistant MFA processes rely on cryptographic verification between devices or between the device and a domain, making them immune to attempts to compromise or subvert the authentication process. According to the NIST Special Publication (SP) 800-63 and Draft 800-63-4, two forms of authentication currently meet the mark for phishing-resistant MFA: PIV/Smart Card and the modern FIDO2/WebAuthn authentication standard. While both are certainly excellent ways to employ phishing-resistant authentication, you don’t have to choose only one of them, the YubkiKey with FIDO2 + SmartCard is definitely the best way to go passwordless. The reason for this is because YubiKeys can function just like smartcards and FIDO2 Keys, allowing you to choose the best credential for the job.



Why Use YubiKeys for Phishing-Resistant MFA?

One of the best thing about using Yubikeys is that they adapt to your Identity provider, meaning that you can keep using Entra ID for the authentication, no need to move your users to a YubiKey cloud or something else, it just becomes the credential your users use. YubiKeys also don’t require batteries, have no breakable screens, don’t need a cellular connection, and are water-resistant and crush-resistant (really try to break one, I bet you wont be able to). With the YubiKey, organizations of all sizes can protect employees against modern cyber threats while driving high productivity, offering ease of use, and minimizing costs related to help desk password resets. YubiKeys are purpose-built for security and support device-bound passkeys, ensuring compliance to Authenticator Assurance Level 3 (AAL3) standards.

How to Use YubiKeys for Phishing-Resistant MFA

Choosing to employ the YubiKey is a great step on the journey towards true zero trust authentication. Naturally, you’re thinking to yourself, “Alright, so how the heck to I get this scaled across my organization?” Glad you asked. We’ve built the ideal YubiKey onboarding tool, EZCMS designed specifically for you to address everything when it comes to getting up-and-running with your YubiKey. From selecting your keys, to shipping them around the globe, EZCMS is your one-stop-shop for all things YubiKey. As a trusted Works with Yubico Partner, we’ll take care of all the details for you. For organizations looking to embark on the journey towards zero trust, the Keytos security team stands ready to guide you through every step of the process. Whether you prefer a direct conversation to tailor a passwordless strategy that best fits your needs or choose to explore at your own pace through our extensive passwordless documentation we are here to support you. Our YouTube channel is rich with tutorials and step-by-step guides, meticulously designed to provide you with the knowledge and tools necessary for a seamless transition. We invite you to reach out at your convenience to discuss how we can help secure your operations against the cyber threats of tomorrow by leveraging YubiKeys.

You Might Also Want to Read