What is phishing-resistant MFA?
Phishing-resistant multi-factor authentication (MFA) is an advanced cybersecurity practice that keeps intruders out of digital accounts. Like traditional MFA, it requires users to enter multiple credentials to access their accounts. However, instead of using traditional mechanisms like passwords and one-time codes, phishing-resistant MFA uses advanced credentials like cryptographic passkeys and biometric authentication.
Cybercriminals often use phishing, brute force attacks, and man-in-the-middle attacks to access traditional MFA credentials and compromise secure accounts. Phishing-resistant MFA credentials are nearly impossible for hackers to access with these strategies, making them far more secure.
What components are needed to make phishing-resistant MFA work?
Phishing-resistant MFA is much more complex than its traditional counterparts. Several key components are necessary to keep these systems completely resistant to modern cyberattacks.
Cryptographic identity verification
All phishing-resistant MFA methods involve some form of cryptography to encode user access credentials. Cryptographic systems scramble this information so it is unreadable to outside parties and can only be accessed with the correct key. Instead of using a traditional username and password, phishing-resistant MFA systems often require a cryptographic passkey to access the account.
Clear user intent
The user must complete specific actions to access a phishing-resistant MFA system. Requiring user intent prevents hackers from accessing the system by overwhelming it with authentication requests.
Lack of shared secrets
One of the biggest security vulnerabilities associated with traditional MFA is shared secrets. For example, when you log into an account using traditional MFA, you will often be sent an email or text message with a one-time authentication code, which is a “shared secret” between the user and the system.
While this adds an extra layer of verification beyond a traditional username and password, hackers can still access these one-time codes with the right tools. To prevent this from happening, phishing-resistant MFA uses passwordless systems that do not require shared secrets. Many organizations do this using WebAuthn API protocols, which work with servers and browsers to facilitate passwordless authentication.
Non-interceptable factors
Phishing-resistant MFA uses identifying factors that are secure and cannot be intercepted through the internet. This step is often done with digital certificates that have been secured using cryptography.
Many government agencies and highly regulated financial institutions use phishing-resistant MFA to manage office access. In these instances, employees confirm their identity with physical security keys or biometric identification before accessing secure areas.
Phishing-resistant MFA techniques
As phishing-resistant MFA has become more essential, different techniques have emerged. Each technique uses secure authentication methods to verify and confirm a user’s identity before providing access to sensitive data.
FIDO2
The Fast IDentity Online 2 authenticator, or FIDO2, is one of the most-used tools for phishing-resistant MFA across various systems. In digital systems, it is used with the WebAuthn API to provide passwordless authentication for users.
WebAuthn uses cryptography to generate a private key stored on the user’s device. When that user logs into a cloud-based service, FIDO2 will interact with the device to verify the private key and confirm the user’s identity.
By installing WebAuthn on their device, users can log into various secure cloud-based applications without passwords and other forms of identity verification that are vulnerable to phishing. WebAuthn can also be configured to work with other identity verification factors, such as biometrics or a secure PIN.
FIDO2 can also verify identity using external authentication factors with the CTAP2 protocol. This protocol allows your device or browser to interact with an external device. For example, some phishing-resistant MFA systems require users to verify their identity through a small USB or physical device containing authentication information.
PKI systems
Public key infrastructure, or PKI, is another established technology often used as part of phishing-resistant MFA systems.
PKI systems use cryptography to encrypt data, preventing malicious third parties from intercepting it. The system matches public and private keys to authenticate users, which ensures that only trusted entities can access the system. This feature works well for phishing-resistant MFA because the system authenticates the key pair rather than requiring interceptable access codes.
PKI technology is already used extensively to authenticate financial transactions online. Some platforms also use PKI technology to encrypt sensitive documents.
On top of that, PKI technology can be built into physical tools like personal identity verification cards. Organizations with sensitive data often require employees to use these smart cards for building access, secure network connections, or digitally signing documents. These cards can contain cryptographic key pairs and are often used in combination with biometric factors for extra security.
Certificate-based authentication
Certificate-based authentication is similar to PKI technology in using cryptography to verify user identities. In fact, some PKI systems use certificate-based authentication.
With this system, users are given a secure digital certificate, which contains an encrypted public key necessary to verify their identity without usernames and passwords to access the system and identify information. Once a certificate has been issued for a device, the authentication process can happen automatically, which makes this method very user-friendly.
Examples of phishing-resistant MFA
Many organizations and software programs have already begun implementing phishing-resistant MFA. Here are some examples of phishing-resistant MFA used in professional settings.
Windows Hello for Business
Microsoft has launched several technologies that use phishing-resistant MFA for extra security. One of the most popular options is Windows Hello for Business.
With this program, a public and private key pair is created for each device. Users then sign in to the device with a secure PIN or biometric authentication, such as a fingerprint or facial scan. Businesses can use this technology to control access to each company device.
Titan Security Key
Google’s Titan Security Key is an access management product available for both individuals and businesses. This is a small, physical key that looks similar to a USB drive.
The key contains phishing-resistant identity verification with firmware backed by Google that adheres to FIDO standards. It uses cryptographic key pairs to verify your identity and is compatible with a wide range of apps and cloud-based programs. Users can plug the key directly into their device to use it.
YubiKey
YubiKey is a piece of hardware that offers phishing-resistant identity verification. It is very similar to the Titan Security Key. When plugged into a compatible device, it will automatically verify the user’s identity for compatible apps. YubiKey can be configured for businesses of all sizes, and it also works for personal use.
Benefits of phishing-resistant MFA
Phishing-resistant MFA has many security benefits for organizations that work with sensitive data, as well as their employees, partners, and clients because it:
Helps to protect accounts against data breaches. Phishing-resistant MFA does not use passwords or one-time access codes, which are often compromised in social engineering scams. Therefore, using phishing-resistant MFA can help protect your systems against the costly and devastating data breaches that stem from these scams.
Reduces the risk of credential theft. Because phishing-resistant MFA does not use passwords, it is nearly impossible for threat actors to steal credentials from authorized users. This practice makes it much harder for cybercriminals to access systems and cause damage from the inside.
Streamlines login experience. With traditional MFA systems, users need to wait to receive a confirmation code via email or text message before they can log into their accounts. This process can be slow and clunky and can even be confusing for users who aren’t familiar with MFA.
Works with physical access management systems. Phishing-resistant MFA technologies work with both physical and digital access management systems. These technologies can be used in keycards to access secure spaces or networks.
Adheres to compliance standards. Some organizations are subject to very strict security standards set by industry regulatory bodies or local governments. In these cases, implementing phishing-resistant MFA can help organizations adhere to these compliance standards and avoid fines.
Drawbacks of phishing-resistant MFA
Although phishing-resistant MFA is a powerful security tool, it does have some potential downsides. It’s important to be aware of them before implementing phishing-resistant MFA in your organization because it:
Requires new technology installation. Setting up phishing-resistant MFA requires organizations to install new hardware and software. If you are using this technology for physical access management, you will also need to create and distribute keycards to your staff. This process can be complex and may require reconfiguration of existing systems.
Takes time to set up. The process of giving your entire organization new credentials and teaching employees how to use phishing-resistant MFA can take time. As with any new technology, there may be some resistance or confusion when things are first implemented.
Can be expensive. Implementing phishing-resistant MFA solutions can be costly, especially if you are installing the infrastructure from scratch. This may be cost-prohibitive for smaller organizations.
Doesn’t provide 100% protection. Phishing-resistant MFA is much safer than traditional MFA methods when it comes to preventing social engineering attacks. However, it can’t completely eliminate cybersecurity issues.
Protect sensitive data with phishing-resistant MFA
Multi-factor authentication has become a standard cybersecurity practice for organizations across various industries. However, it isn’t always enough to keep cybercriminals at bay.
Phishing-resistant MFA uses advanced access management technology to enhance account security. It eliminates the need for passwords or verification codes that could be compromised due to phishing scams or other forms of social engineering. Cryptographic verification is more secure and can create a better user experience.
Like what you’re reading?
Get the latest stories and announcements from NordVPN
