Implementing multi-factor authentication (MFA) is an excellent strategy to strengthen the security of your online accounts, but sophisticated phishing attacks can bypass MFA. So consider adopting a strong phishing-resistant MFA method to fight modern phishing campaigns.

How is traditional MFA susceptible to phishing attacks? What is a phishing-resistant MFA solution, and how can it prevent phishing attacks?

What Is Multi-Factor Authentication?

As the term suggests, multi-factor authentication requires you to present two or more verification factors to access your accounts.

A factor in an authentication process is a means of verifying your identity when you are trying to log in.

The most common factors are:

  • Something you know: a password or a PIN you remember
  • Something you have: a secure USB key or a smartphone you have
  • Something you are: your facial recognition or fingerprint

Multi-factor authentication adds extra layers of security to your accounts. It's like adding a second or third lock to your locker.

In a typical multi-factor authentication process, you will enter your password or PIN first. Then, you may receive the second factor on your smartphone. This second factor can be an SMS or notification on an authenticator app. Depending on your MFA settings, you may require to verify your identity through biometrics.

There are many reasons to use multi-factor authentication, but can resist phishing completely?

Unfortunately, the answer is "no."

Cyber Threats to Multi-Factor Authentication

Image of Login Credentials Hanging on a Hook on a PC to Represent Phishing

Though MFA methods are safer than single-factor authentication methods, threat actors can exploit them using various techniques.

Here are ways how hackers can bypass MFA.

Brute-Force Attacks

If hackers have your login credentials and you have set a 4-digit PIN to be used as the second factor, they can carry out brute-force attacks to guess the security pin in order to bypass multi-factor authentication.

SIM Hacking

These days, threat actors use techniques like SIM swapping, SIM cloning, and SIM jacking to hack your SIM card. And once they have control over your SIM, they can easily intercept sms-based second factor, compromising your MFA mechanism.

MFA Fatigue Attacks

In an MFA fatigue attack, a hacker bombards you with a barrage of push notifications until you give in. Once you approve the sign-in request, the hacker can access your account.

Adversary in the Middle Attacks

Hackers can use AiTM frameworks like Evilginx to intercept both login credentials and the second factor token. Then they can log in to your account and do any nasty thing that takes their fancy.

Once you complete the multi-factor authentication process, a browser cookie is created and kept for your session. Hackers can extract this cookie and use it to start a session in another browser on a different system.

Phishing

Phishing, one of the most common social engineering tactics, is often employed to access the second factor when the threat actor already has your username and password.

For example, you use a software-as-a-service (SaaS) vendor, and your login credentials are compromised. A hacker will call (or email) you posing as your SaaS vendor to request the second factor for verification. Once you share the verification code, the hacker can access your account. And they can steal or encrypt data affecting you and your vendor.

These days, hackers employ advanced phishing techniques. So watch out for phishing attacks.

What Is Phishing-Resistant MFA?

Phishing-resistant MFA is unsusceptible to all kinds of social engineering, including phishing attacks, credential stuffing attacks, Man-in-the-Middle attacks, and more.

As humans are at the center of social engineering attacks, phishing-resistant MFA removes the human element from the authentication process.

To be considered a phishing-resistant MFA mechanism, the authenticator should be cryptographically bound to the domain. And it should recognize a fake domain created by a hacker.

The following is how the phishing-resistant MFA technology works.

Create Strong Binding

In addition to registering your authenticator, you will complete a cryptographic registration, including identity proofing, to create a strong binding between your authenticator and identity provider (IDP). This will enable your authenticator to identify fake websites.

Make Use of Asymmetric Cryptography

A solid binding of two parties based on asymmetric cryptography (public-key cryptography) eliminates the need for shared secrets like passwords.

To start sessions, both keys (public keys and private keys) will be required. Hackers cannot authenticate to log in as private keys will be stored safely in hardware security keys.

Respond to Only Valid Authentication Requests

Phishing-resistant MFA responds to only valid requests. All attempts impersonating legitimate requests will be thwarted.

Verify Intent

Phishing-resistant MFA authentication must validate user intent by prompting the user to take an action that indicates the active involvement of the user to authenticate the sign-in request.

Why You Should Implement Phishing-Resistant MFA

Adopting phishing-resistant MFA offers multiple benefits. It eliminates the human element from the equation. As the system can automatically spot a fake website or an unauthorized authentication request, it can prevent all types of phishing attacks aimed at tricking users into giving away login credentials. Consequently, phishing-resistant MFA can prevent data breaches in your company.

What's more, a good phishing-resistant MFA, like the latest FIDO2 authentication method, improves user experience. This is because you can use biometrics or easy-to-implement security keys to access your accounts.

Last but not least, phishing-resistant MFA boosts the security of your accounts and devices, thereby improving cybersecurity pasture in your company.

The US Office of Management and Budget (OMB) issued the Federal Zero Trust Strategy document, which requires federal agencies to use only phishing-resistant MFA by the end of 2024.

So you can understand that phishing-resistant MFA is critical for cybersecurity.

How to Implement Phishing-Resistant MFA

An Image of Lady Sitting Infant of a Laptop Holding Smartphone in Her Left Hand

According to the State of Secure Identity Report prepared by Okta's Auth0 team, MFA bypass attacks are on the rise.

As phishing is the leading attack vector in identity-based attacks, implementing phishing-resistant multi-factor authentication can help you secure your accounts.

FIDO2/WebAuthn Authentication is a widely used phishing-resistant authentication method. It allows you to use common devices to authenticate in mobile and desktop environments.

FIDO2 authentication offers strong security through cryptographic login credentials unique to each website. And login credentials never leave your device.

What's more, you can use built-in features of your device, such as a fingerprint reader to unblock cryptographic login credentials.

You can check FIDO2 products to select the right product to implement phishing-resistant MFA.

Another way to implement phishing-resistant MFA is to use public key infrastructure (PKI) based solutions. PIV smart cards, credit cards, and e-Passports use this PKI-based technology.

Phishing-Resistant MFA Is the Future

Phishing attacks are increasing, and implementing only traditional multi-factor authentication methods doesn't offer protection from sophisticated phishing campaigns. So implement phishing-resistant MFA to prevent hackers from taking over your accounts.