Is Your Organization Vulnerable To Phishing?

January 18, 2024

Are You Vulnerable to Phishing?

With all the talk about phishing-resistant multi-factor authentication (MFA), do you know if you are really using phishing-resistant authentication and why it matters?

An NSA report states that “…terms like ‘2-step verification,’ ‘two-factor authentication,’ and ‘multi-factor authentication’ are all widely used to describe similar capabilities.” Reddit chats are full of questions about phishing resistance with a mix of inaccurate and correct information. The confusion is compounded by the fact that vendors are muddying the waters by claiming their products are phishing-resistant when often they are not.

To highlight this problem, we’ll jump to the big conclusion and explain it later: no matter what vendors claim, certificate-based authentication (CBA) backed by PKI and authentication technology complying with the Fast Identity Online (FIDO) standard are the only two truly phishing-resistant forms of MFA. Let’s look deeper at the different types of MFA and the importance of being resistant to phishing.


The Current State of MFA

As noted in the recent Axiad 2023 State of Authentication Survey, phishing remains the cybersecurity threat most feared by IT professionals. In fact, 39% of respondents indicated this, with phishing eclipsing malware, ransomware, and others.

The reason for this is that all bad actors need for phishing to work is one person to “bite” on their email, and then they can compromise the security of a network. This is why many organizations have adopted MFA – to make phishing harder. But, we’ve learned that MFA in itself (what we like to call “basic MFA”), is not enough to stop the phishing scourge. Everyone ranging from the Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST) to The White House has recommended that organizations move to phishing-resistant MFA.

To better understand phishing-resistant MFA, it’s first essential to understand what it is not.

Here are the four most common approaches to authentication and why they are not phishing-resistant:

Passwords – The drawbacks of using passwords are well known. They range from end-user problems (using weak passwords, re-using passwords, and stalled productivity when accounts need to be recovered) to IT efforts and costs stemming from password resets, and credentials management. Yet, 93% of organizations continue to use passwords, according to the Axiad survey cited earlier. Further, the FIDO Alliance notes that passwords are the root cause of 80% of data breaches. They can be given away through phishing scams, bought on the black market, and stolen. Ultimately, passwords are highly susceptible to phishing.


SMS and Voice MFA – This is a good first step for implementing MFA, but pushing voice or text-based numbers at people is insecure. According to the CISA report, Implementing Phishing Resistant MFA, these approaches to MFA are easily defeated.  Threat actors utilize SIM swaps, social engineering, or other approaches. Thus, SMS and voice MFA are not phishing resistant.


One-Time Passwords (OTP) or Token-based OTP – OTPs can be authenticator app-based or token-based. Both generate a code to be used by the user in the authentication process. Token-based OTP takes the extra security step ensuring proof of possession. These OTP approaches can seem like a more secure authentication, but they are also vulnerable to phishing. The most-used attack in this category takes place when a victim is referred to a spoofed site. Then, the victim enters their MFA information. Scammers then use this information to access legitimate accounts and networks.


Mobile push with number matching – Number matching on an authenticator app provides better security and spares organizations from push-bombing attacks (where they send so many text messages that the fatigued recipient pushes “accept” on their authenticator app). Yet, this method is still vulnerable to phishing. Like with OTPs, the number matching element can still be phished through attacks such as social engineering.


While each approach to MFA has its plusses and minuses, none of these authentication methods is truly phishing resistant. No matter what MFA method noted above is deployed, cyberattackers can still gain access to places they don’t belong.


MFA Methods That Are Phishing Resistance

According to CISA, only two approaches are resistant to phishing: CBA (PKI-based) and authentication solutions compliant with FIDO. Now, let’s look at how they work to defeat phishing attacks:

Certificate-Based Authentication (CBA) backed by PKI: CBA uses a Public Key Infrastructure (PKI) and incorporates a device such as a smart card or YubiKey to house the certificate. CBA is a well-established method and a highly secure form of MFA. It is used in high-value environments, such as federal government networks and other regulated industries. Because CBA does not use passwords, there is nothing for end-users to give away through phishing attacks or unsafe behavior. This is what makes CBA resistant to phishing.


FIDO Passkeys: FIDO is an alliance of tech companies across diverse industries developing standards for the elimination of passwords. Instead of a password, FIDO Passkeys use methods like biometrics (a finger scan or facial recognition) to create a passkey that verifies that the person doing the authentication is who they claim to be. FIDO passkeys are the most advanced standard for passwordless authentication. They are expected to become the gold standard of authentication technology over time. Like CBA, a FIDO Passkey does not entrust the end user with a password to give away, making it phishing-resistant.


The Path Forward to Phishing-Resistant MFA 

It is important to understand that phishing resistance is not an either/or proposition. Many organizations today are using a dual approach. CBA allows organizations to preserve their investment in identity and access management (IAM) solutions and adopt a phishing-resistant model to support use cases currently not covered by FIDO passkeys. Then, FIDO passkeys can future-proof this phishing-resistant approach and, as the standard gets more widely adopted, enable organizations to remain passwordless over the long term.

Axiad enables a phishing-resistant MFA journey with Axiad Cloud. It’s a comprehensive, secure, and integrated authentication platform that allows organizations to move to true phishing-resistant MFA. Axiad Cloud supports both FIDO and CBA and does not introduce the friction that can arise from authentication point solutions. Using Axiad Cloud, organizations can adopt CBA to meet immediate phishing-resistant MFA needs and migrate to FIDO Passkeys when they are ready.


A Simple Test

Regardless of what vendors or others say, a simple test can be applied to any phishing resistance claims. Is the authentication solution CBA (PKI-based) or FIDO compliant? Those are the two ways to be genuinely phishing-resistant. So, how does one get to a phishing-resistant future? We’ll address that in our next blog.


About the author
Tami Williams
Tami Williams
Axiad Demo

See How Axiad Works

See a comprehensive demo of Axiad and envision how it will revolutionize authentication for you!