Phishing-Resistant MFA image

Everything You Need to Know About Phishing-Resistant MFA

Categories: Thought Leadership

Implementing MFA as a core component of security for your organization is pretty much a given at this point. The dangers of not using strong security include compromised resources, data loss, lost revenue, damaged brand reputation, and being fined for not meeting regulatory requirements. Utilizing MFA is common sense.

The bigger question is what type of MFA is best for your organization? Password-based MFA doesn’t totally eliminate security risks because the password is still there, and the factors used by this type of traditional MFA (like one-time codes, SMS text messages, and push notifications) are easily phishable. 

A quick look at recent attacks shows just how easy it is for attackers to intercept emails, texts, and push notifications and gain full access to all your resources if the right security measures aren’t in place. Any way you look at it, password-based MFA vulnerabilities are bad for business. 

If you choose to still use passwords as one of your identification factors, your MFA is insecure and at risk of phishing attacks, password recovery exploits, and notification fatigue. Jasson Casey, CTO at Beyond Identity, talks about how easily most MFA can be phished in a recent episode of Cybersecurity Hot Takes (Most MFA Is Vulnerable).

So where does that leave you? Before you make a decision about what type of MFA you’re going to use to authenticate your users and devices, read 5 Things a Modern MFA Should Do. Short version, your MFA solution should:

  • Use unphishable factors such as cryptographic keys, biometrics, and device-level security checks
  • Eliminate passwords
  • Continuously assess for risk
  • Be invisible
  • Enable a zero trust strategy

In January 2022, the Office Of Management And Budget issued a memo laying the groundwork for creating a zero trust architecture for all US federal agencies by 2024. One key component of that architecture is phishing-resistant MFA.

Phishing-resistant MFA 

So what is phishing-resistant MFA, and will it really offer the protection you need? 

Phishing-resistant MFA uses factors that can’t be compromised by even a sophisticated phishing attack. This means the MFA solution can not have anything that can be used as a credential by someone who stole it, including, but not limited to: passwords, one-time passwords (OTP), security questions, SMS text messages, and push notifications. 

If your MFA solution uses any of those factors, your resources and organization are at risk.

Phishing attacks have become increasingly complex, and it can be hard to keep up with which factors are phishable. We’ve created a simple chart you can use as a guide when choosing factors. The main takeaway is that most things transmitted or sent to the user can be phished. Things that never leave the device (cryptographic keys) or your body (biometrics) can not. 

Phishable authentication methods (traditional MFA) rely on a user’s competence for security. The very concept of phishing shows that people are the weakest link in your cybersecurity plan, and successful social engineering attacks provide proof of that weakness. With unphishable or phishing-resistant authentication, the competence of the user is irrelevant to the security. The user carries none of the burden of protecting the factors being used, thus providing better security and a better user experience.

Want to know more about the differences between phishable MFA and phishing-resistant MFA? Check out this video where Jasson Casey and Roger Grimes, data-driven defense evangelist with KnowBe4, demonstrate the difference between phishing-resistant multi-factor authentication that is secure and phishable, insecure MFA.

Implementing zero trust authentication—the next logical step

The number of weekly attacks the average corporate network experienced rose 50% in 2021 over the previous year (Check Point Research). And it looks like those numbers will increase again in 2022. Our research alsofound that 70% of customers stopped using a service because of a publicized breach, highlighting the potential cost to organizations’ bottom lines if they don’t take cybersecurity seriously.

The answer to the growing unease and protecting your organization is adopting zero trust authentication that uses continuous risk-based multi-factor authentication and is passwordless and unphishable.

Zero trust authentication:

  • Provides certainty of identity
  • Establishes trust in the device
  • Continuously authenticates
  • Reduces user friction
  • Integrates with security ecosystem applications and controls to enable a proactive zero trust security posture

All of this lays the foundation for a zero trust security architecture.

Why Beyond Identity?

Since its inception, Beyond Identity has worked on and provided clients with the means to transition away from phishable, weak factors to strong, secure authentication that easily integrates with your existing single-sign on. 

Our cloud-native platform is not only passwordless and unphishable, it’s frictionless as well. After a simple registration process, users are issued a cryptographic credential tied to the device and user. Logging in after registration is as simple as a click and a scan of a fingerprint. 

Other companies claim to facilitate secure MFA, but a quick look at how easy it is to hack Duo shows where those products fall short. Want to know which MFA is better? Watch how easily Duo can be phished and how Beyond Identity is more secure. 

End results are what matter in securing your resources, and Beyond Identity provides the unphishable MFA and risk-based policy engine you need to securely authenticate your users. 

The phishing attempt was successful and several users clicked on a link that took them to a portal that mimicked their identity provider’s portal. But according to Marcos, “Beyond Identity essentially blocked that penetration tester from accessing those users' accounts at all because that penetration tester did not have access to that root of trust that is established by Beyond Identity.” 

With Beyond Identity, the risk of phishing or password-based attacks is eliminated, and thanks to continuous monitoring, the risk and scope of any insider attacks are drastically reduced.