The ever-accelerating frequency of phishing attacks is astonishing. It seems like almost every day another company falls victim to bad actors stealing credentials. The most recent statistics highlight that over 80% of businesses have encountered SUCCESSFUL phishing attacks in the past year. Holy guacamole, that’s nuts! For quite a long time, smaller and medium-sized businesses didn’t think they needed to fortify their respective security postures because they thought they weren’t at risk. The logic was, “Well, we’re a small business, who the heck would want our data?” …turns out that there are way more bad guys than there used to be, and they don’t discriminate based on the size of your business. Data is data, and they want it all to hold for ransom.
Businesses of all shapes and sizes have relied heavily over the past decade or so on e-mail filters and educating their employees about phishing as their main deterrents. While well intentioned, it’s almost altogether useless. Think about it this way… what’s the last employee training session you actually paid attention to? Simply put, the reliance on traditional employee vigilance and email filtering systems is proving to be insufficient against modern, sophisticated phishing schemes.
So where do we go from here? Glad you asked! The answer lies in the implementation of phishing-resistant Multi-Factor Authentication (MFA). Let’s dive in…
Alright, let’s get into it. What is phishing-resistant MFA? Simply stated, it’s authentication mechanisms that are designed to be immune to phishing attempts. Unlike traditional credentials that can be intercepted or stolen (passwords), phishing-resistant credentials ensure that the private key required for authentication is never exposed or transmitted. Phishing-resistant MFA keeps you safe from bad actors’ attempts to compromise or subvert the authentication process, commonly achieved through spear phishing, brute force attacks, man-in-the-middle attacks, replay attacks, and credential stuffing. Phishing resistance within an authentication mechanism is achieved by not only requiring that each party provide proof of their identity but also intent through deliberate action. Passwords, SMS and other One-Time Passwords (OTP), security questions, and even push notifications, contrary to popular belief, are not considered phishing resistant mechanisms as they are all susceptible to some or all of the attacks previously listed.
Now that we’re on the same page about the definition of phishing-resistant MFA, let’s take a look at the options available to you today. Two prominent examples of such systems are FIDO2 hardware keys and Smartcards, each offering robust authentication methods to safeguard against illicit access.
Smartcard authentication is the earliest and most widely trusted form of unphishable verification. It relies on the X.509 certificate-based authentication framework. Think of it as a “digital passport.” Upon receiving a smartcard, it is embedded with a unique certificate that functions similarly to a physical identity card. This digital counterpart enables services to verify an individual’s credentials with confidence. Just like a passport, this digital certificate comes with an expiration date. If the certificate is either expired or revoked, the user’s access privileges to the system are automatically rescinded, ensuring continuous security and integrity.
To address the intricate process of establishing a Certificate Authority, the FIDO Alliance introduced the FIDO2 framework. This innovative approach streamlines authentication by directly registering a cryptographic key with the identity provider. This eliminates the complex upkeep commonly linked to conventional Public Key Infrastructure (PKI), yet it upholds stringent security protocols. With FIDO2, users enjoy a more seamless verification experience without compromising the robust defense against unauthorized access.
A lot of businesses remain skeptical about adopting phishing-resistant MFA due to misconceptions and outdated information. For example, a quick look at this reddit thread is a great example of how many so-called “cybersecurity experts” don’t know diddly-squat about the subject, but sure do love to share their opinions. …don’t let this deter you!
Let’s debunk a few of these myths:
Contrary to this belief, once users are familiar with the process, phishing-resistant credentials are found to be up to four times quicker for logging in compared to traditional methods. This hassle-free process bypasses the need for multiple passwords, instead requiring a simple connection of the token and a PIN. Speaking from personal experience with hardware keys, once you get the hang of it, you’ll love it.
What’s more costly? A ~$50 hardware key for employees, or having your organization’s data stolen? The initial investment in hardware keys and their monthly management may seem like a deterrent, but the long-term savings on password reset procedures and reduced helpdesk interactions will be significant. Once you have an understanding of the ROI of going passwordless; you’ll see right through this myth.
This is a critical misunderstanding. While all MFA methods enhance security, not all are unphishable. Phishing-resistant credentials are unique in their ability to provide superior defense against a wide array of attacks that other methods can’t thwart.
If you’ve made it this far, you’re most likely wondering, “How do I get started? What does implementation look like?” I’m glad you asked! First, you’re going to want to consider the entire process of going passwordless, not just which method you’ll employ. Even top-notch security is ineffective if end-users find it cumbersome and IT struggles to implement it.
You’re going to want to do your research to make sure you have a thorough understanding of the task at hand. In the spirit of being helpful, here are some links to reputable resources you may find useful…
1) Phishing-Resistant MFA 101 from AT&T. Similar to an entry-level course, this will give you a high level understanding of what you need to know. Very useful for understanding the definitions of key terms associated with the topic.
2) CISA’s guide to phishing resistant MFA implementation is incredibly insightful and has a couple of great sections around key considerations prior to implementation and common issues you may encounter during the path forward. Must read. Thank you, Uncle Sam!
3) Yubico’s article about Phishing-Resistant MFA. Excellent information from the undisputed industry leaders in Unphishable MFA. …lot of great images for the visually inclined to help you better understand the process. …also our good friends and partners!
Studies indicate that adopting a passwordless system can decrease account takeovers by 99%. With the latest technological tools, businesses can transition to phishing-resistant MFA swiftly—in some cases, within just three days post-initial assessment. Don’t believe me? Check out the video below to see how easy getting started really is. Don’t delay in fortifying your business against phishing threats. Reach out for a complimentary identity assessment from our team of experts today.
