How to Implement Phishing-Resistant MFA

{authorName}

Zac AmosFeatures Editor at ReHack

31 March 2023

While the technology behind phishing-resistant MFA is developing, it’s quickly becoming the new gold standard in security. Investing in this authentication will go a long way toward ensuring your organization's security.

Article 4 Minutes
How to Implement Phishing-Resistant MFA

Phishing attacks are some of the most prolific forms of cybercrime. Reports state there was a 61% increase in phishing attacks in 2022, which is predicted to increase in 2023. Not only that, but these attacks have also become more sophisticated. Many now target mobile devices, where it takes more work to distinguish whether or not a text or message is trustworthy.

It's now more important than ever to safeguard your business from phishing attacks. A data breach can be costly and not just on the financial side — your company's reputation can also take a huge hit.

The different types of phishing attacks

First, a brief overview of the different types of phishing attacks is crucial.

Email phishing

Phishers will register a fake domain that looks similar to an actual organization, like a bank or an online retailer. They'll send out thousands of generic requests calling the receivers to action.

The attackers will often try to get their fake email address as close to the real one as possible — for instance, you might see "[email protected]" or "[email protected]." At first glance, these may look legitimate and users might open them, unwittingly allowing malware to invade the computer system.

Spear phishing

Spear phishing is a more sophisticated type of email phishing. Unlike regular email phishing that only uses generic verbiage, spear phishing emails will often address you by name and try their best to sound familiar to you. This is because phishers have more than likely already acquired your or a colleague's personal information through another data leak. That makes these emails highly personalized and hard to spot as disingenuous at first glance.

Learn more: How to Use Spear Phishing to Teach Your Employees a Lesson

Smishing and vishing

Smishing and vishing are phishing attacks that target phones. When smishing, the phisher will send a text message posing as a business representative or trusted organization, asking you to click a link in the message. Like in the email example, phishers will try to closely imitate the organization's website address to trick you into thinking it's legitimate.

Vishing is when a phisher calls you directly, posing as a representative of an organization. They'll try to be anyone from insurance salespeople to bank representatives to IRS agents trying to persuade you into giving up your personal information.

Crucially, all of these types of phishing attacks involve human error, whether it’s clicking on a malicious link or accidentally giving away passwords over the phone. That’s where phishing-resistant MFA comes in.

What is phishing-resistant MFA?

Phishers are trying to obtain your credentials to access your computer systems and unfortunately, it works. Rotating passwords and implementing two-factor authentication can help, but these methods are no longer the strongest for preventing attacks because human carelessness can still compromise them.

Phishing-resistant MFA is the system quickly replacing passwords and 2FA as the standard in authentication. What makes phishing-resistant MFA different is the process of verifying your identity. Instead of using passcodes, users will obtain external authenticators such as a program on their phones or a security key. While human error is often the reason for successful phishing attacks, phishing-resistant MFA seeks to remove human error as an option.

Doing away with passcodes eliminates the goal of phishing attacks. In addition, it's far more convenient for users. Instead of remembering many different passwords to log into each system, they can use an authentication key on their person to log into everything.

Of course, it’s important to note that “phishing-resistant” MFA only helps to secure organizations against phishing attempts dealing with passwords and account access. Merely implementing phishing-resistant MFA doesn’t mean your organization will be immune to every phishing attempt, such as clicking on infected links or accidentally giving away non-password information.

Implementing hishing-resistant MFA

Phishing-resistant MFA is so effective that the Cybersecurity and Infrastructure Security Agency strongly urges all organizations in the U.S. to implement it in some form. The question is, how would you implement it in your organization?

FIDO/WebAuthn authentication

FIDO/WebAuthn is currently the only widely available service for phishing-resistant MFA. Organizations can implement this program in two ways. The first method has information stored in physical tokens called roaming authenticators. These connect to your organization's computers or other devices using a USB or NFC device.

The second way is embedding a program into a computer or mobile device to serve as "platform" authenticators. FIDO can also use biometrics such as fingerprints or facial recognition as an added layer of security.

PKI-based MFA

The second method is less available because it ties to an organization's public key infrastructure. This method can come in various forms, with one of the most well-known being smart cards that can authenticate users within the organization. However, this type of MFA requires powerful identity management practices — something not feasible for most non-governmental organizations.

Solution Categories

Identity Management Software

Identity Management Software

Identity management software refers to a computer program or application that facilitates the manage...

Authentication Software

Authentication Software

Authentication software refers to computer programs and systems that verify the identity of users or...

Password Management Software

Password Management Software

Password management software refers to a tool or application designed to securely store and manage p...

Privileged Access Management Software

Privileged Access Management Software

Privileged Access Management (PAM) Software refers to a specialized solution that helps organization...

Multi-Factor Authentication (MFA) Software

Multi-Factor Authentication (MFA) Software

Multi-Factor Authentication (MFA) Software refers to a security solution that adds an additional lay...

Zac Amos

As the Features Editor at ReHack, Zac Amos writes about cybersecurity and the tech industry.

Comments

Join the conversation...