phishable mfa

Are You Using Phishing-Resistant MFA? Probably Not.

Categories: Thought Leadership

In recent years, the phishing threat has grown significantly. In 2021, phishing attacks doubled compared to the previous years, and July 2021 was the highest on record according to the Anti-Phishing Working Group (APWG). 

These phishing attacks often took advantage of the confusion and switch to remote work driven by the COVID-19 pandemic. The US government  is taking the threat of phishing so seriously that by 2024 it is requiring federal agencies to adopt phishing-resistant multi-factor authentication (MFA)

What is phishing-resistant MFA? 

It’s exactly what it sounds like. Phishing-resistant MFA can’t be compromised by even a sophisticated phishing attack. This means that the MFA solution can not have anything that can be used as a credential by someone who stole it, including, but not limited to: passwords, one-time passwords (OTP), security questions, and interceptable push notifications. 

Password-based MFA solutions can’t and won’t stop phishing

Usually, a phishing campaign’s end goal is to perform an account takeover, which MFA solutions aim to protect against. Phishers try to steal users’ credentials via fake login pages and then use them to gain access to the user’s account.

In theory, MFA should protect against this by requiring multiple different factors for authentication, but in practice, it isn’t so simple. Often, these other factors are just as vulnerable to phishing as just using passwords to authenticate.

Most MFA today uses a combination of a password and an instance of a “something you have” factor. Often, this involves sending an OTP via SMS or email that the user then types into the authentication page. Modern phishing campaigns include the ability to phish these additional credentials as well. 

For example, a modern phishing page may be designed to interact directly with the target site, triggering an OTP text message or email when the user tries to log in on the phishing page. The SMS or email is sent to the user from the legitimate site, and the user enters it into the phishing site. At this point, the attacker has both the password and the OTP, enabling them to legitimately authenticate as the user.

This is just one way in which password-based MFA can be bypassed using phishing. It also assumes that the user is willing to enable MFA at all. Getting a code from an SMS text message, email, or authenticator app and typing it in adds friction to the authentication process and requires the user to have immediate access to the device or email account. As a result, a user may opt not to use MFA at all in favor of a better user experience, eliminating any anti-phishing protections that it could provide. Ironically the thing that is supposed to make them more secure, through its own inconvenience, pushes them towards the less secure option.

In the end, these MFA solutions rely on a password, which is an incredibly weak factor. Passwords are continually re-used, stolen, and stored in insecure methods. Once a malicious actor is able to successfully steal a password it only requires an interception of a text message or magic link sent via email for them to authenticate and start accessing critical data and costing an organization money. 

How Beyond Identity’s MFA stops phishing in its tracks

MFA using passwords and OTPs is vulnerable to phishing because it uses weak factors that users can be tricked into entering into a website. Beyond Identity’s passwordless MFA provides robust protection against phishing by using authentication factors that users can’t be tricked into handing over to an attacker.

Instead of using weak “something you know” factors like passwords combined with other phishable authentication factors, Beyond Identity only uses strong authentication factors that can’t be phished:

  • Local Biometrics: Modern devices include biometric scanners such as fingerprint and facial recognition. These “something you are” factors provide stronger authentication than passwords or OTPs and a more frictionless user experience.
  • Cryptographic security keys: Security keys stored on an authorized device provide a phishing-resistant “something you have” factor. This ensures that a user is logging in from a trusted device, stopping phishing attacks cold.
  • Device-level security checks: In addition to MFA, Beyond Identity checks what resources the device is trying to access (applications, cloud resources, etc.) and its current security posture. This makes it possible to validate that the request is compliant with corporate security policies and protects sensitive resources from being accessed by infected or insecure devices.

Beyond Identity’s passwordless MFA eliminates phishing risk because there are no passwords or OTPs for an attacker to phish. It also provides a more frictionless authentication experience because users are no longer required to memorize passwords, wait for OTPs, and type them into the website. Instead, the app seamlessly checks dozens of risk signals, accessing the private key on the user’s device, and the user authenticates themself with a fingerprint or other biometric setting.

Learn more about phishing-resistant MFA and Secure Work and Secure Customers to find out how to stop phishing attacks from impacting your workforce or customers. You can also get a demo to experience the solution.