.png?width=220&height=44&name=Nuc-logo-sketched-1%20(1).png "Nuc-logo-sketched-1 (1)"){kind=logo}
As cyber threats continue to evolve, so must our defenses. While multifactor authentication (MFA) is now commonly accepted as a standard security measure for businesses, we are now seeing a need for phishing-resistant MFA due to an increase in security incidents that bypass MFA. In this blog post, we will outline how it’s different from traditional MFA and why it’s now a crucial part of businesses’ multi-layered security strategy.
Phishing-resistant MFA is a security system that requires more than one method of authentication to verify the user's identity for a login or other transaction. It is designed to be resistant to phishing attacks, which are attempts to steal sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity in an electronic communication.
According to a recent report by Egress, 79% of organizations that fell victim to a security incident started with a phishing email, and 83% had MFA that was bypassed for the attack to succeed.
In traditional MFA, users are typically required to provide two forms of identification before gaining access to an account. This commonly involves something the user knows (e.g., password) and something they have (e.g., a one-time code sent to their mobile device). Key issues with traditional MFA are:
- Traditional MFA still uses passwords as the first factor which can easily be hacked or stolen.
- Hackers have found ways to bypass MFA through push fatigue, SIM swap and Adversary-in-the-Middle Attacks (also known as Man-in-the-Middle attacks).
- Does not bind identities to devices so there’s no way to verify the user is who they say they are.
- Mandatory phishing-resistant MFA is starting to be mandated in certain industries.
Implementing Phishing-Resistant MFA
Phishing-resistant MFA goes a step further by incorporating additional security measures to mitigate the risk of falling victim to phishing attacks. Three of most phishing-resistant MFA methods include:
1. FIDO2 Security Keys/Tokens: (Fast Identity Online) Alliance helps promote open authentication standards, such as FIDO2, the latest standards-based passwordless authentication method. Physical devices like security tokens or smart cards that generate one-time codes can also be used as a second factor. These are less susceptible to phishing attacks compared to codes sent via SMS or email.
2. Biometric Authentication: Using biometric data such as fingerprints, facial recognition, or iris scans adds an extra layer of security. These characteristics are generally harder for attackers to replicate through phishing.
3. Certificate-based: Microsoft Entra certificate-based authentication (CBA) enables users to allow or require users to authenticate directly with X.509 certificates against their Microsoft Entra ID for applications and browser sign-in. This feature enables authentication with an X.509 certificate against their Public Key Infrastructure (PKI).
Implementing a phishing-resistant MFA requires proactive investment in IT strategy, planning and review starting with:
- Cybersecurity Assessment: Assess your organization’s security requirements and choose the best phishing-resistant MFA method.
- Security Awareness Training: It only takes one employee and just seconds for a breach to happen. The best approach to cybersecurity is a multi-layered one that includes Security Awareness Training. We’ve partnered with Curricula by Huntress to provide the most sophisticated phishing simulation and security user training available.
- Integrate with IT Systems: Work with your vCIO or internal department to integrate MFA with existing IT systems and user workflows.
- Enforce MFA Policies: Implement mandatory MFA for all employees who access sensitive company data.
The goal of phishing-resistant MFA is to reduce the likelihood of attackers successfully impersonating legitimate users, even if they manage to obtain some of the user's credentials through phishing techniques. By combining multiple and diverse authentication factors, organizations can significantly improve the security of their systems and protect user accounts from unauthorized access. If you’re looking to learn about the best MFA for your business, reach out to us to learn more about our Cybersecurity and vCIO Services.
