What is Phishing-Resistant Multi-Factor Authentication?
Vincent
Created: April 13, 2024
Updated: August 27, 2024
What is Phishing-Resistant MFA?#
Phishing-resistant multi-factor authentication (MFA) is an advanced authentication strategy designed to protect against phishing attacks, making it impossible for attackers to compromise or deceive users into revealing sensitive access information. This form of MFA stands out by requiring that participants not only prove their identity through multiple factors but also that these factors cannot be used for phishing attacks.
Unlike conventional MFA methods, which may include passwords, SMS, or OTPs, phishing-resistant MFA utilizes mechanisms like FIDO authenticators that are immune to phishing, spear phishing, man-in-the-middle, and various other cyber threats. Often phishing-resistant MFA is based on asymmetric cryptography as used in public-key infrastructure ( PKI) and credentials are scoped to website or app they were created for, so that they cannot be used on decoy websites or apps.
With around 80% of data breaches involving compromised credentials, phishing-resistant MFA is increasingly recognized as essential for improving cybersecurity defenses.
- Phishing-resistant MFA prevents phishing by requiring authentication factors that cannot technically be phished.
- Techniques like FIDO authenticators offer robust protection against a range of phishing and cyber attacks, as they bind credentials to a relying party ID.
- It’s essential for securing access to sensitive data and critical systems, significantly reducing the risk of data breaches.
Detailed Overview of Phishing-Resistant MFA: How It Works#
Phishing-resistant MFA represents an advancement in authentication technology. By leveraging public-key cryptography, binding credentials to a scope and eliminating shared secrets, this approach offers a significantly more secure method of authenticating users.
Characteristics of Phishing-Resistant MFA are:
- Strong Authenticator and User Identity Binding: This ensures a secure and cryptographically proven relationship between the user and the authenticator. An authenticator can be a hardware security key (e.g. YubiKey) or another personal device like smartphone or computer that has a hardware security module (e.g. TPM or Secure Enclave).
- No Shared Secrets: In phishing-resistnat MFA, no shared secrets are used. Instead, unique public and private key pairs for authentication (based on asymmetric cryptography) are used which prevent replay and man-in-the-middle attacks.
- Trusted Parties Only: Non-phishable MFA only responds to authentication requests from verified and trusted sources, protecting against impersonation, as credentials are bound to known parties (e.g. the relying party ID in WebAuthn / passkey authentication.).
- User Intent: In phishing resistant MFA, the active user participation is requried in the authentication process. This requirement ensures that users are aware of and consent to the login attempt.
Importance of Phishing-Resistant MFA#
Since data breaches and cyber-attacks have become increasingly common, the important of secure MFA that has no phishable authentication factors has also increased. Here, not only the user's identity is verified but it's also ensured that an authentication request is legitimate and initiated by the rightful user.
How is MFA targeted?#
Since the introduction of (traditional) MFA, cyber criminals have employed methods to circumvent MFA. The following methods have been used by cyber threat actors to gain access to MFA credentials:
| Name | Explanation |
|---|---|
| Phishing | Phishing is a social engineering tactic where cybercriminals use deceptive emails or malicious websites to trick individuals into disclosing sensitive information, such as passwords or OTPs. For instance, a common phishing approach involves sending an email that directs the victim to a fraudulent website designed to mimic a legitimate login portal, where they unknowingly enter their username, password, and OTP. |
| Push bombing (also known as push fatigue) | Push bombing involves overwhelming a user with repeated push notifications until they mistakenly accept one, inadvertently giving the attacker access to the system or network. |
| Exploitation of SS7 protocol vulnerabilities | Attackers take advantage of vulnerabilities in the SS7 protocol, which is part of the global communications infrastructure, to intercept MFA SMS OTPs or voice calls to a user’s phone. |
| SIM Swap | SIM Swap is a social engineering method where attackers deceive mobile carriers into transferring control of a target's phone number to a SIM card controlled by the attacker, allowing them to hijack the victim's phone communications. |
Phishing is Cyber Security Industry's Biggest Problem#
The following stats demonstrate how big of an issue phishing is for any digital service:
- Phishing attacks surged by 58.2% in 2023, compared to 2022, reflecting the growing sophistication and persistence of threat actors.
- Vishing (voice phishing) and deepfake phishing attacks are on the rise as attackers leverage generative AI to amplify social engineering tactics.
- The US, UK, India, Canada, and Germany were the top five countries targeted by phishing attacks.
- The finance and insurance industry faced 27.8% of overall phishing attacks, the highest concentration among industries and a staggering 393% year-over-year increase. Manufacturing followed closely behind at 21%.
Typical phishing email from PayPal, taken from https://www.phishing.org/phishing-examples
Typical Phishing Scenario#
Imagine this scenario to understand how a typical phishing attack is conducted.
An employee at your company receives a call from someone claiming to be an off-site IT support specialist, alerting them to a detected IT issue. The caller warns that if the problem isn't resolved, the employee might be locked out of their account.
To address this supposed login issue, the caller instructs the employee to update their password to be compatible with the software again. They direct the employee to a password change website and request that the password should be updated there. The employee follows these instructions, enters a new password, and receives an OTP on their phone. They enter the OTP, and just like that, the issue seems resolved for the employee. Meanwhile, the attacker got access to the real software and can breach the account or download data.
Even though your company may have implemented traditional MFA for all employees to guard against certain attacks, like password guessing, the account is breached. While MFA can mitigate some common threats, it doesn't fully protect against all forms of credential theft, as demonstrated in this scenario. Here, the attacker successfully obtained the employee’s username, password, and an SMS OTP. These so-called "MFA bypass" attacks are not just theoretical; they are actively being used against even well-resourced companies with strong security teams.
Who's is Most often Target of Phishing?#
The following table gives an overview of the brands who were most often targets of phishing attacks in Q1 2024. Microsoft remained the most targeted brand, while Google moved up to the second spot.
| Rank | Brand | Frequency |
|---|---|---|
| 1 | Microsoft | 38% |
| 2 | 11% | |
| 3 | 11% | |
| 4 | Apple | 5% |
| 5 | DHL | 5% |
| 6 | Amazon | 3% |
| 7 | 2% | |
| 8 | Roblox | 2% |
| 9 | Wells Fargo | 2% |
| 10 | Airbnb | 1% |
Comparison of Phishing-Resistancy of Traditional Authentication Methods.#
In the following table, you find different authentication methods that are common in the digital world and see if they are phishing-resistant or not (and a short explanation).
| Authentication method | Phishing-Resistant | Explanation |
|---|---|---|
| Password | ❌ | Passwords can be easily phished through fake websites and social engineering. |
| SMS OTP | ❌ | SMS OTPs can be intercepted or phished through fake websites and SIM swapping. |
| Email OTP | ❌ | Email OTPs can be phished by tricking users into entering codes on malicious sites. |
| Email magic link | ❌ | Email magic links can be phished by intercepting the link through email compromise. |
| Social logins (e.g. Google, Facebook) | ❌ | Social logins can be phished by tricking users to log in via fake OAuth prompts. |
| SSO | ✅/❌ | SSO can be phishing-resistant if implemented with strong authentication methods like FIDO2 or smart cards. |
| TOTP (e.g. Google Authenticator) | ❌ | TOTPs can be phished if the attacker tricks the user into providing the code. |
| Push Notification (e.g. Authy, Duo) | ❌ | Push notifications can be phished through fake prompts or social engineering. |
| Passkey | ✅ | Passkeys use public-key cryptography and are bound to the origin, preventing phishing. |
| FIDO2 Security Key | ✅ | FIDO2 security keys use origin-bound keys and challenge-response, making them phishing-resistant. |
| Smart Card | ✅ | Smart cards use secure elements and are resistant to phishing. |
Use Cases and Industry Applications of Phishing-Resistant MFA#
Phishing attacks grow in sophistication and frequency. Therfore, phishing-resistant MFA is becoming important across various industries. Organizations in sectors such as healthcare, finance, and remote work environments are increasingly adopting phishing-resistant MFA to protect sensitive data and systems.
Healthcare: Protect Patient Data#
In healthcare, where patient data confidentiality is the highest good, phishing-resistant MFA helps protect electronic health records (EHRs) from unauthorized access. Given the industry's regulatory requirements, such as HIPAA in the United States, implementing robust security measures is essential. Phishing-resistant MFA ensures that even if credentials are compromised, unauthorized parties cannot access patient information.
Finance: Protect Bank Accounts and Payments#
The financial sector is another critical area where phishing-resistant MFA is essential. Financial institutions are prime targets for phishing attacks due to the direct monetary implications. By adopting MFA solutions like FIDO2 or PKI-based systems, these institutions can significantly reduce the risk of account takeovers and fraudulent transactions.
Remote Work: Protect Professional Data#
With the rise of remote work, ensuring secure access to corporate resources has become more challenging. Phishing-resistant MFA plays an important role in securing remote access. This is especially important as employees access company networks from various locations and devices, increasing the attack surface for cybercriminals.
Government and Critical Infrastructure: Protect Citizen Data#
Phishing-resistant MFA is crucial in government and critical infrastructure sectors because these entities handle sensitive citizen data and national security information. Unauthorized access to such systems could lead to severe consequences, including data breaches, disruption of essential services, and even threats to national security. Implementing phishing-resistant MFA helps ensure that only authorized personnel can access critical systems, thereby protecting citizen data and maintaining the integrity of essential public services.
Implementing Phishing-Resistant MFA#
For organizations looking to improve their cybersecurity posture, the implementation of phishing-resistant MFA is a very intelligent move.
Passkeys / FIDO2 as Latest Phishing-Resistant MFA#
FIDO2, developed by the FIDO Alliance, represents the gold standard in phishing-resistant MFA, enabling passwordless authentication with high security. This is how the Cybersecurity and Infrastructure Security Agency (CISA) refers to passkeys. CISA has issued guidelines urging enterprises, especially those managing critical infrastructure, to implement phishing-resistant MFA.
To understand in detail why passkeys are the most user-friendly phishing-resistant MFA method, we recommend to take a look at our blog post Passkeys Phishing: Why Passkeys Are Phishing-Resistant.
How to prioritize in Phishing-Resistant MFA Rollouts#
When you want to roll out phishing-resistant MFA, there are 2 core questions you should ask yourself:
- Which resources are critical to protect? Cyber threat actors often target core systems such as email platforms, file servers, and remote access tools to infiltrate an organization’s network. They also seek to compromise identity management systems like Active Directory (e.g. Microsoft Entra), which could enable them to create new accounts or take control of existing user accounts.
- Who are the high-value targets within the organization? While compromising any user account can lead to a significant security breach, certain accounts with elevated access or privileges are particularly attractive to cyber criminals. For instance, if a system administrator's account is compromised, the attacker could potentially gain access to any system and data within the organization. Other high-value targets might include attorneys, who could have e-discovery permissions to access emails, including deleted ones, or HR staff with access to sensitive personnel records.
Issues of Phishing-Resistant MFA Rollouts#
Introducing phishing-resistant MFA often does not come without any issues. The three most common ones are the following:
- Compatibility with Legacy Systems: Some existing systems may not support phishing-resistant MFA, either because they are outdated or because the vendor has not yet implemented the necessary updates. In such cases, organizations should prioritize protecting the most critical systems that do support phishing-resistant MFA, such as hosted email and single sign-on (SSO) systems.
- Gradual Deployment Difficulties: Rolling out phishing-resistant MFA across an entire organization simultaneously can be impractical. Challenges such as training, enrolling, and supporting all users at once can make a phased approach more manageable. Organizations may start by implementing MFA for key groups, like IT administrators and help desk staff, and then expand the rollout gradually, applying lessons learned from earlier phases.
- User Resistance and Adoption Concerns: There may be resistance from users who are concerned about the potential impact on their experience or the additional steps required by phishing-resistant MFA. It’s important for IT security leaders to communicate the risks of not implementing strong MFA and to secure buy-in from senior leadership, who can help manage the cultural and communication aspects of the transition.
Phishing-Resistant MFA FAQs#
How does phishing-resistant MFA differ from traditional MFA?#
Phishing-resistant MFA differs from traditional MFA by using advanced security protocols, like FIDO2 / WebAuthn, which are specifically designed to prevent phishing attacks. These protocols ensure that authentication is bound to the legitimate website and involve hardware-based tokens or cryptographic keys that cannot be easily intercepted or spoofed by attackers.
Why is phishing-resistant MFA considered more secure?#
It is considered more secure because it eliminates the risk of attackers intercepting or deceiving users into revealing authentication information, by using methods that are not susceptible to common phishing tactics.
Can phishing-resistant MFA completely eliminate the risk of phishing attacks?#
While no security measure can provide 100% protection, phishing-resistant MFA significantly reduces the risk of successful phishing attacks by eliminating common vulnerabilities exploited by attackers.
What are some examples of phishing-resistant MFA technologies?#
Examples include FIDO2 / WebAuthn security keys and PIV smart cards, which use public-key cryptography and credential scoping (to a relying party ID) to ensure secure, phishing-resistant authentication.
How does phishing-resistant MFA integrate with existing security systems?#
Phishing-resistant MFA integrates with existing security systems by leveraging protocols like FIDO2/WebAuthn, which can be incorporated into existing identity and access management (IAM) frameworks. It can work alongside traditional security measures, enhancing protection without requiring a complete overhaul of current infrastructure. Many modern systems, such as single sign-on (SSO) platforms and cloud services, already support these protocols, making integration smoother and more seamless.
What do regulators say about phishing-resistant MFA?#
Regulators across the globe are increasingly emphasizing the importance of phishing-resistant MFA to protect against cyber threats. In the United States, the Cybersecurity & Infrastructure Security Agency (CISA) strongly recommends the adoption of phishing-resistant MFA, providing detailed guidance in their fact sheet aimed at IT leaders and network defenders. Additionally, the White House has highlighted the use of phishing-resistant MFA as a key component of its OMB M-22-09 Zero Trust strategy, specifically endorsing FIDO2-based passkeys and PIV smart cards for secure authentication.
In the European Union, the General Data Protection Regulation (GDPR) encourages strong authentication practices, including the use of MFA, to protect personal data. Although GDPR does not specifically mandate phishing-resistant MFA, adopting it aligns with the regulation's emphasis on implementing appropriate technical measures to ensure data security.
Australia’s Essential Eight cybersecurity framework also requires organizations to adopts phishing-resistant MFA, particularly for critical systems and sensitive data, to protect against increasingly sophisticated phishing attacks.
Share this article
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free
