What does “unphishable” mean?
In plain English, something that is “unphishable” cannot be breached using standard phishing techniques. With the massive increase in phishing attacks in recent years, IT experts are scrambling to find ways to protect their organizations from this ever-increasing threat. Unphishable authentication is one way to provide that security.
However, the answer to what exactly “unphishable” authentication entails is much more nuanced than that.
Phishable vs unphishable multi-factor authentication (MFA)
Unphishable authentication is only possible when users cannot be tricked into handing authentication factors over to an attacker, and there is no component that can be given over to a hacker, even by erroneous user error. A phishable authentication method trusts a user’s competence for security, but with unphishable authentication the competence of the user is irrelevant to the security. The user carries none of the burden of protecting the factors being used.
It’s easiest to understand unphishable authentication by considering current, phishable MFA solutions. While using passwords, push notifications, magic links, and one-time passwords as additional factors are common, these solutions are easily phishable, and continuously hacked by attackers.
Some attackers have started “prompt bombing” a targeted user with push notifications until they approve access to a malicious actor. Other ways to phish these weak factors include SIM swaps, man-in-the-middle attacks, rebuilding passcode generators, and other methods. In addition to these known hacking methods, attackers are always looking for new ways to infiltrate weak systems.
Unphishable factors are more difficult, if not impossible, to hack. Examples of unphishable factors include:
- Local biometrics: These “something you are” factors provide stronger authentication because they are unique to each user and aren’t stored in a database that can be breached.
- Cryptographic security keys: This “something you have” factor ensures that a user is logging in from a trusted and authorized device.
- Hardware security keys: These keys can help stop phishing attacks by requiring the physical device is on hand to access sensitive information, and not relying on text messages or push notifications that can be intercepted.
With phishing attacks increasing, it’s essential to take a second look at your authentication methods to ensure you’re not leaving your organization wide open for attack.
What to look for in an unphishable MFA solution
If you're worried or have already determined that your current MFA might not be protecting you from phishing attacks, here’s what you should look for in an unphishable MFA solution:
Uses only strong factors
True, unphishable MFA won’t allow you to use weak and easily hacked authentication factors such as one-time passwords, magic links, or SMS text messages as standard authentication factors. Instead, they’ll rely entirely on biometrics, cryptographic security keys, device-level security checks, or hardware security keys.
Choose a solution that is easy to implement and scale
While the work MFA is doing behind the scenes is complex, it shouldn’t be complicated to deploy across your organization. Beyond Identity’s Secure Work is as easy as adding a few lines of code, and most customers completely transition to our platform in 90 days or less. Users can also self enroll easily, which frees up a lot of IT’s time.
Ensure it’s easy to use
Password-based MFA creates a lot of friction in the user experience, harms adoption, and sends your users searching for potentially insecure workarounds. Unphishable MFA is best when it’s easy to use, if not invisible to the end user. If the user experience is annoying or tedious, users will be slow to adopt or look for workarounds.
Look for risk-based authentication
While modern unphishable MFA makes it practically impossible for attackers to break in, what happens during the user session on your network? If the answer is nothing, that’s asking for trouble. A good unphishable MFA solution will also be able to provide continuous, risk-based authentication that assesses a variety of user, device, and location signals. After all, the next attack could come from the inside.
No truly unphishable MFA solution will rely on the password during the authentication process, it should be passwordless. If the solution you’re considering still allows your users to continue to use the username and password, you’re still at risk for password-based attacks.
Learn more about how to stop phishing attacks from impacting your workforce or customers. You can also get a free demo to experience the solution.