Phishing-resistant MFA is critical in today’s world, and the industry knows it: In a recent survey conducted by Censuswide, one out of every two senior security and IT executives said that becoming more phishing resistant was their top cybersecurity priority for 2023.

The reasons for this steadfast focus on preventing phishing-related incidents are numerous.  In IDSA’s 2022 Trends in Securing Digital Identities report, it was reported that:

“An alarming 84% said their organization had experienced an identity-related breach in the past year. When asked what kind of breach, the most common answer was phishing attacks (59%), whether broad-based attacks or spear phishing.”

It’s not just that the number of phishing-related attacks is increasing, but the concern also stems from the fact that they can be highly effective.  CISA recently noted that 80% of organizations had at least one individual who fell victim to a phishing attempt by CISA Assessment teams.  That’s why there is  long list of successful breaches that have been reported in 2022, including Twilio, Acorn Financial Services, Mailchimp, and more.

If fear of phishing alone isn’t enough incentive, outside parties are also starting to place pressure on organizations to take steps that will mitigate the risk of phishing attacks.  Probably the best known is the January 2022 memorandum from the U.S. White House Office of Management and Budget (OMB), which addressed the concept of phishing resistance 23 times – in just 29 pages of total text.  Even CISA stated in an October 2022 advisory that it “strongly urges all organizations to implement phishing-resistant MFA to protect against phishing and other known cyber threats.”

Cyber insurance providers are also placing greater emphasis on becoming more phishing aware as we enter 2023, with many reporting that a key to lower insurance rates is taking proactive measures to address the wide range of phishing tools and techniques that are currently in practice.

Add all of this up, and it’s easy to see why 2023 will be the year phishing-resistant MFA and other initiatives to fight phishing.

Not All Roads Lead to Greater Phishing Resilience

Most security and IT executives are well aware of the risk presented by phishing assaults, but confusion still remains on how to best protect yourself.  Here are two common misconceptions on what might act as a panacea against phishing:

• Multi-Factor Authentication (MFA): Some believe that MFA can protect them against such attacks. Unfortunately, not all MFA is phishing resistant.  As more businesses deploy MFA, phishers are modernizing their tactics as well. Two common methods to bypass MFA are SIM swapping attacks and man-in-the-middle attacks. SMS text messages can be read via a SIM swapping attack, which allows a remote attacker to get into a victim’s phone communications through social engineering, without requiring physical access to the actual device. The hacker is able to successfully gain access to the verification code as it transmits.  For man-in-the-middle attacks, hackers intercept web traffic and insert themselves in the middle with fraudulent, lookalike login pages that not only accept user credentials but also deploy MFA to capture access.
• Identity and Access Management (IAM): Others believe that they will be protected because they have an IAM solution in place that has phishing resistance built in. Unfortunately, that isn’t always the case.  Many of these solutions – particularly legacy solutions – leverage MFA capabilities that can be compromised by the above. But even if you have phishing resistance built into one of your IAM systems, do you have it built into (and across) all?  In a recent survey, it was found that 70% of organizations use 3 or more IAM systems across their organization, and more than half use 4 or more.  Taking a siloed approach to authentication yields gaps and inconsistencies that can lead to unexpected phishing exposure.

Join the Resistance with Certificate-Based Authentication (CBA)

If you’ve read this far, then it is likely that you too are looking ahead to 2023 as the year to prioritize phishing resistance.  But beware, if you are relying on antiquated MFA approaches or have multiple IAM systems in place, as mentioned, then you may come up short in your bid to enhance your organization’s cybersecurity posture.

Enter certificate-based authentication.  CBA is a more secure, phishing-resistant form of MFA that is increasingly being deployed in enterprises and the public sector.  It uses a strong token such as a smart card or hardware device for authentication, and it streamlines the process of authenticating users with a variety of tokens while improving overall protection.

Equally important, CBA allows you to extend the capabilities of your existing IAM systems to provide passwordless, phishing-resistant MFA for every user.  And because CBA can overlay multiple IAM systems, use cases, and operating systems – including Microsoft Windows, Apple OS, and Linux – it can help organizations be more consistent and systematic in how they authenticate, which naturally delivers additional protection by eliminating inconsistencies that can be exploited by bad actors.

In addition to bolstering security, certificate-based authentication also delivers operational and end-user benefits that are critical for organizations that need to manage the bottom line and avoid business disruption.  This can include streamlining workflows to roll out and to manage credentials across their lifecycle and enabling end users to provision and reset credentials without IT involvement.

The demand for certificate-based authentication is increasing at such a pace that even Microsoft joined the party in October 2022 by announcing support for Azure AD certificate-based authentication, a part of Microsoft Entra.

About Axiad’s CBA for IAM Offering

Axiad’s CBA for IAM is a turnkey SaaS offering that supports a wide range of smart cards and hardware devices (such as YubiKey) without requiring a Trusted Platform Module (TPM). This combination of packaging and flexibility overcomes the organizational barriers to adoption described previously.  It supports Microsoft’s initiative to make it easy for Azure users to implement phish-resistant MFA and ensures a seamless migration from legacy infrastructure to the cloud.  For more information about this Axiad’s Certificate-Based Authentication for IAM offering, visit Axiad’s product page.

For More Information

To learn more about phishing resistance, CBA, and Axiad’s CBA solution, please see the below links:

Phishing-Resistance Stats:

• Infographic: Navigating the Path to Enhanced Authentication
• Survey: The State of Passwordless Security, Cybersecurity Insiders, 2021
  • 90%: report that phishing attacks are on the rise
  • 91%: Want to stop credential theft and phishing
  • 64%: Want to enhance the user experience
• Survey: 2022 Authentication Survey of Large Organizations
  • 50% say that becoming more phishing resistant was their top cybersecurity priority for 2023
• Survey: 2021 Passwordless Survey Report
  • 71%: say phishing is the threat vector they are most concerned about for remote workers
  • 66%: reported a phishing attempt in the last two years

CBA Background:

• Blog: Why is CBA Hot Right Now?
• Blog: 7 Reasons Why Phishing-Resistant MFA Should Be Your Goal
• Blog: The Importance of Phishing-resistant MFA

Axiad CBA:

• Press Release: Axiad Releases Certificate-Based Authentication (CBA) for IAM to Amplify Protection for Organizations with Existing Identity Security Systems
• Press Release: Axiad Announces Support for Microsoft Azure Active Directory Certificate-Based Authentication (CBA)
• Datasheet: Certificate-Based Authentication (CBA) for IAM