Phishing has become a dominant threat. To put the problem in perspective, it’s estimated that 15 billion spam emails are sent across the internet each day, with 83% of organizations reporting phishing attacks in 2021. Successful phishing campaigns can lead to stolen credentials, account takeovers, and ultimately, ransomware attacks.

The good news is that most organizations understand passwords are not secure, and are adopting multi-factor authentication (MFA) as the first step to passwordless.  The bad news?  Many traditional MFA solutions are easily phished.

Given the frequency at which organizations are under attack, it’s not surprising that the U.S. government is taking action.  Earlier this year, the Office of Management and Budget (OMB) issued its Zero Trust Strategy. One key aspect of the document requires federal agencies, contractors and their partners to use only phishing-resistant MFA by the end of 2024. Here’s what you should know:

Not all MFA is created equal

When MFA is deployed, it strengthens credential security because stealing a password isn’t enough to gain access to a site or resource.  Most MFA today uses a combination of “something you know” (a password) and “something you have.”  This often involves the creation of a One Time Password (OTP) which is sent by SMS to the user’s phone or by email.

Unfortunately, as more businesses deploy MFA, phishers are modernizing their tactics. Two common methods to bypass MFA are SIM swapping attacks, and man-in-the-middle attacks.  SMS text messages can be read via a SIM swapping attack, which allows a remote attacker to get into a victim’s phone communications through social engineering, without requiring physical access to the actual device. The hacker is able to successfully gain access to the verification code as it transmits.  For man-in-the-middle attacks, hackers intercept web traffic and insert themselves in the middle with fraudulent, lookalike login pages that not only accept user credentials but also deploy MFA to capture access.

One of the biggest problems with traditional MFA is that users must still remember passwords. With people having so many online accounts today, this often leads to reusing passwords across multiple accounts, which makes it even easier for attackers.

Phishing-resistant MFA

Phishing-resistant MFA is far more secure because it quite simply cannot be compromised, even by sophisticated phishing attacks. This type of MFA does not involve phone calls, additional security questions, magic links, or one time passwords sent by SMS or email, all of which can easily be intercepted by attackers.  So what exactly is phishing-resistant MFA?

The White House is promoting the use of two phishing-resistant technologies, which include the FIDO2 WebAuthn standard and Personal Identity Verification (PIV) smart cards.

• WebAuthn & FIDO2 allows users to rely on devices, such as cell phones, to authenticate to online services in both mobile and desktop environments.  Users unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys.  Users can select the device that best fits their needs.

• PIV smart cards use cryptography based on Public Key Infrastructure (PKI).  They are used government-wide to control access to Federally Controlled Facilities and information systems at the appropriate security level.

The FIDO (Fast IDentity Online) Alliance, which was formed in July 2012 to address the lack of interoperability among strong authentication technologies, is leading the efforts to remedy the issue with passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

How Axiad can help

The transition to phishing-resistant MFA may seem daunting, but it doesn’t have to be.

We can help you learn more about best practices for implementing PKI or FIDO2, and stay abreast of the government’s current and future security requirements.

As a member of FIDO, Axiad is committed to providing users with a simple way to deploy phishing-resistant MFA across the enterprise.  Axiad Cloud provides a single platform that secures people, machines and digital interactions using the widest range of credentials, including FIDO, PKI, mobile MFA, Windows Hello for Business, Yubikeys, smart cards, TPM and biometrics.

With Axiad Cloud, organizations can adopt passwordless MFA seamlessly across the enterprise, simplify the user experience, reduce IT operational costs, and, most importantly, improve security.

Isn’t it time to move away from passwords?