Did you know that, in 2021, 25% of all data breaches started from phishing attacks? This means every one of four security incidents have its beginning in phishing. You might think that your organization has solid protections against this threat: employee training, multi-factor authentication (MFA) and malware detection tools.
While these solutions are important to protecting against phishing, they aren’t bulletproof – as shown by the recent Uber data breach.
In September of this year, hackers managed to break into Uber after they purchased an Uber contractor’s logins of the Dark Web. They tried to use the credentials, but received a MFA prompt, asking them to enter a code sent to the contractor’s phone. Rather than giving up there, the hackers began to bombard the victim’s email address with fake MFA requests. Eventually, the victim gave in and shared the MFA token with the hackers, allowing them to enter Uber’s infrastructure and steal a ton of sensitive data.
This incident underscores the need for organizations to adopt phishing-resistant MFA. Here’s everything you need to know.
What Is Phishing-Resistant MFA?
Phishing-resistant MFA is a step beyond MFA that accounts for the fact that hackers may attempt to maliciously subvert the authentication process through spam and other phishing tactics. As well as protecting against phishing attacks, phishing-resistant MFA also protects against other credentials risks, including credentials stuffing, brute force attacks and man-in-the- middle attacks.
Phishing-resistant MFA aims to take people out of the authentication process, as people are inherently ‘phishable’. Any request for authentication, pass-code or security question that requires manual intervention can be subverted. So, phishing-resistant MFA takes things out of people’s hands.
How Does Phishing-Resistant MFA Work?
The most common form of phishing-resistant MFA comes in the form of the FIDO standard, which was created some years ago by the FIDO Alliance, a non-profit organization of companies around the world that have come together to improve online authentication and security.
You might have heard of “WebAuthn” technology – this solution implements the FIDO standard.
Here’s how FIDO works step-by-step:
- You create your online account, or update it to implement FIDO, and register your device with the application. The device can either take the form of a special token like a YubiKey, or you can use your mobile device as the token.
- During the registration process, the application pairs with your device to create a unique cryptographic key. This means the website now knows and trusts your device.
- When you next login, the application will realize you are using your device, and give you access without needing you to manually authenticate, as your device already acts as the authentication mechanism.
- As an additional step, to make sure your device hasn’t been stolen or corrupted, the application may ask you to sign-in with a one-touch biometric mechanism, like your fingerprint or face ID, as we often see on smartphones.
The FIDO standard is highly effective at deterring phishing scams as it doesn’t require one-time pass-codes or links, which hackers can steal. The only human element involved is the biometric factor, which is almost impossible for a cyber-criminal to duplicate.
Does My Organization Need a Phishing-Resistant MFA Solution?
If you’re debating whether or not to implement a phishing-resistant MFA strategy, we highly recommend that you do. While MFA is a good foundational security step, it won’t protect against your organizations from complex threats. That’s where phishing-resistant MFA comes into play.
To put phishing-resistant MFA into place effectively, you’ll need a strategy. Prioritize your most high-value or vulnerable resources, such as email, remote access, identity servers like Active Directory or human resources staff.
Challenges of Putting In Place A Phishing-Resistant MFA Solution
Here are the most common obstacles to implementing phishing-resistant MFA.
- Some systems do not support phishing-resistant MFA: Some vendors are yet to integrate phishing-resistant MFA into their systems, which can hinder enterprise-wide adoption. However, you can still focus on the services that do support these capabilities.
- Enrolling all staff synchronously is unrealistic: Deploying this form of MFA across team members all at once can be difficult, especially in larger organizations. You’ll need to educate, enroll and provide support to all users as they familiarize themselves with the solution and then beyond. It therefore makes sense to take a segmented approach, starting with the most important or high-risk functions in your organization. With each phase of implementation, you’ll learn lessons about what works and what doesn’t which will make the later phases of implementation more seamless.
- User adoption requires education: It’s crucial to help your employees understand why phishing-resistant MFA is needed. Otherwise, they might resist adoption or even try to circumvent your policies by using unsolicited applications. Education and awareness training goes a long way to solve this issue. By empowering employees with knowledge about why phishing-resistant MFA is vital to security, you’ll boost adoption and ensure your people become security advocates.
Get Help With Phishing-Resistant MFA Today!
Unbound Digital can help you implement phishing-resistant MFA today. We’ll take care of everything for you, from implementation to management, so you can improve your security resilience. Contact us to get started.