Hacks at Uber, American Airlines and Rockstar Games (makers of Grand Theft Auto) have attributed their breaches to well-known attack vectors that exploit known weaknesses in multi-factor authentication (MFA). Such techniques include exploitation of techniques such as MFA fatigue, phishing and social engineering - Axiad looked at how these techniques were used in a previous blog focused on the Cisco data breach. The repeated breaches traced back to the same attack vectors being exploited over and over again illustrate the need for better keys and locks for identity. In this blog, we’ll look at how identity provides the key and what locks are available to move towards better methods of MFA.
Identity – User’s Key
Gone are the days when a network perimeter and physical security could be used as a first line of defense. When users log into their work applications, such as email, ERP systems, Office, they are doing so from a variety of devices, systems and the type of MFA implemented has to meet the users where they are – on all applications and devices – to be effective. Identity is the key to security for cloud-based systems. Applications need to be able to identify a user through an authentication exchange before allowing them to unlock access to different applications and devices. Implementing MFA allows organizations to add better, more complex locks to this process. However, not all the MFA locks are created equal.
Mobile Push – Easy to Install MFA Lock
Providing a consistent MFA lock that works across all scenarios is a difficult task. This inconsistency brought the mobile push app into popularity as the “lock” of choice for many organizations. Mobile push apps are easy to deploy – the user has a phone, they download an app from the MFA provider and are prompted to approve an authentication event on their phone. Easy. However, the convenience and ubiquity of the implementation is a tradeoff and push apps, while better than nothing, introduce some important security flaws. This means that mobile MFA is a lock that is easy to install but also easy to bypass.
Push apps are hosted on a user’s phone. Users are people, after all, and they want to be able to user their phones when they need to. When the phone is inundated with unknown push requests issued by an attacker, it’s only a matter of time before users just want to make the notifications stop. Even savvy users who can ignore the unwanted push requests might fall victim to a social engineering scheme where the attackers pose as IT or help desk personnel and request that the user approve the push app requests to fix an issue and stop the push notifications. At this point, psychology kicks in. The user wants their phone back and the request of the attacker may seem like a reasonable way of achieving this. Unfortunately, no amount of security training will counteract this scenario. Fortunately, better locks are needed, and they are available.
Phishing-resistant MFA – The Top-secret Lock
We’ve all seen the movies where the hero is confronted by what seems like an impossible to crack door and must get to the other side. The locks may contain a PIN, biometric sensor, or keycard and are always tricky for the hero to navigate. It’s the movies – the hero always finds a way in. These locks will be difficult, or impossible, to breach outside of the movies and in our MFA scenario, we’re focused on keeping the attackers out.
Phishing-resistant MFA represents this complicated lock and is backed by asymmetric cryptography. This method employs math to keep the lock and key in sync without the end user having to do anything. This method also makes it difficult for an attacker – they can’t bombard the user with requests when the process to unlock the door is initiated by the user. There is nothing to steal as the math employed keeps the key and lock in sync but is useless outside of those two parties. This provides a simple, secure experience and a more advanced lock.
Moving Towards a Better Lock
Axiad Conductor provides all the tools necessary for organizations to upgrade their locks to a secure, phishing-resistant experience. Unlike many approaches that are done in silos across multiple authentication methods, identity types, use cases, and existing IAM systems, Axiad allows customers to move enhance their authentication practices without the friction and risk of fragmented solutions. By delivering a complete and holistic solution, Axiad helps organizations systematically authenticate across all people, devices, and operating systems, regardless of underlying IT complexity. This integrated approach helps organizations become more phishing resistant, as well as prevent ransomware attacks/account takeovers, and take a critical step forward to implementing a Zero Trust.
Original content from September 2022, updated in August 2025:
Identity threats haven’t slowed down—and neither have we. Since publishing this post, Axiad has expanded our platform to cover the full identity lifecycle with Axiad Confirm for continuous identity proofing, Axiad Conductor for automated credential lifecycle management, and Axiad Mesh for real-time identity risk intelligence. We also achieved FedRAMP® Authority to Operate (ATO) at the Moderate Impact Level, enabling federal agencies and contractors to deploy phishing-resistant MFA with speed and confidence.
For the latest insights and resources, visit our Axiad Resource Center.
FAQs
- What is FedRAMP®? The Federal Risk and Authorization Management Program (FedRAMP) is a governmentwide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
- What multi-factor authentication (MFA) is phishing resistant? According to CISA, FIDO/WebAuthn authentication and Public key infrastructure(PKI)-based are the only phishing resistant methods available today.
- What is identity proofing? Identity proofing is the process of validating and verifying a person's identity. Typically government issued identification methods like a driver's license or passport is used in the process.
- What is MFA fatigue? Multi factor authentication (MFA) fatigue is when MFA users are annoyed by having to enter additional credentials to access information, such as one-time passwords (OTPs).