Key Take Aways from the NIST Commentary on Phishing Resistance

Last week, the National Institute of Standards and Technology (NIST) issued a blog on the importance of implementing phishing-resistant authenticators. As many know, this follows similar input from the White House OMB and Cybersecurity & Infrastructure Security Agency (CISA) last year. The latter of these two examples stated that it “strongly urges all organizations to implement phishing-resistant MFA to protect against phishing and other known cyber threats.”

Three different authorities on cybersecurity lining up behind a single topic – with strong caution and guidance – is meaningful. It tells you that phishing-based attacks aren’t isolated and/or going away anytime soon. There is certainly market data to support this. More than 8 in 10 organizations experienced an identity-related breach in the last year. And in a recent survey, one out of every two senior security and IT executives said that becoming more phishing resistant was their top cybersecurity priority for 2023.

The overall commentary is excellent. But what should an organization do, and what should they take away from the latest commentary? Here are some of our thoughts:

What the NIST Blog Said

The NIST blog suggests that, due to their effectiveness and simplicity, phishing attacks are rapidly increasing among organizations. It outlines the most common forms of phishing:

Impersonated Websites – The use of authenticators at illegitimate websites
Attacker-in-the Middle – When an attacker captures authentication data from the user and relays it to an illegitimate website
User Entry – When authentication data is manually entered, which can be compromised
Replay – The use of captured authentication data at a later point in time

The commentary outlines some of the most-common forms of phishing-resistant authenticators – Personal Identity Verification (PIV) cards and FIDO authenticators paired with W3C’s Web Authentication API – and explains when they should be used.

It closes by underscoring the importance of being prepared for this new attack vector: “In the end, phishing-resistant authenticators are a critical tool in personal and enterprise security that should be embraced and adopted.”

What it Got Right (A Lot)

There is no question that phishing-related attacks are on the rise. What’s equally troubling is that they remain highly effective. CISA recently noted that 80% of organizations had at least one individual who fell victim to a phishing attempt by CISA Assessment teams. That’s why there was a long list of successful breaches that have been reported in 2022, including Twilio, Acorn Financial Services, Mailchimp, and more.

We also agree that the two types of phishing-resistant authenticators they highlight in their blog (again PIV and FIDO) are relevant and applicable. Both are widely available and provide ample protection against these attacks. Both are available from Axiad today.

It also should be noted that there is a newer, simpler form of PIV that is available and equally as effective: Certificate-Based Authentication (CBA). It uses a strong token such as a YubiKey, a virtual smart card or hardware device for authentication, and it streamlines the process of authenticating users with a variety of tokens while delivering on the promise of phishing resistance. The demand for CBA is increasing at such a pace that Microsoft announced in October 2022 its support for Azure AD certificate-based authentication, a part of Microsoft Entra. In addition, Axiad announced the availability of CBA for IAM and a CBA solution for Microsoft Azure Active Directory late last year, which can be added to your IAM infrastructure to achieve phishing-resistant authentication with relative ease.

Looking ahead, FIDO2 is the future of phishing-resistant protection, and work is currently well underway to make this the gold standard of the future. Axiad feels so strongly about this that we just joined the FIDO Alliance Board to help strengthen FIDO deployments and help shape the future of phishing resistance.

What Are the Next Steps

For many, the question is no longer if, but when, they will address the growing problem about phishing-based attacks. The bigger problem for many is how. Many organizations may require both PIV/CBA and FIDO due to varying use cases, and only a handful of solutions in the market can do both at the same time. Moreover, a majority of organizations (70% according to a fall 2022 survey conducted by Axiad and Censuswide) have three or more Identity and Access Management (IAM) systems in place, which security teams rely on for authentication and do not wish to rip-and-replace.

The good news is that Axiad can help. Our Axiad Cloud helps organizations shift from a fragmented to a holistic to approach to authentication, supporting both PIV and FIDO. We also offer CBA for IAM, as mentioned, which can be integrated with an existing IAM system as an add-on feature – delivering a more secure, phishing-resistant form of multi-factor authentication while supplementing what you already have in place. And because CBA can overlay multiple IAM systems, use cases, and operating systems – including Microsoft Windows, Apple OS, and Linux – it can help organizations be more consistent and systematic in how they authenticate, which naturally delivers additional protection by eliminating inconsistencies that can be exploited by bad actors.

The combination of the above not only bolsters security, but it also delivers operational and end-user benefits that are critical for organizations that need to manage the bottom line and avoid business disruption. This can include streamlining workflows to roll out and to manage credentials across their lifecycle and enabling end users to provision and reset credentials without IT involvement.

Links: