Multifactor authentication can bear weaknesses that render its efficacy moot. A common response and answer to the most problematic forms of MFA, though the details are limited at best, is phishing-resistant MFA.
The qualifier, phishing resistant, is broadly defined as modes of authentication that rely on cryptographic techniques, such as an asymmetric pair of private and public keys, the Web Authentication API (WebAuthn) specification, biometrics or the FIDO2 standard.
In practice, phishing-resistant MFA is about getting away from the use of one-time passcodes that are primarily sent via text message or email.
Threat actors routinely evade these variants of MFA, which cybersecurity professionals describe as broken but still better than single-factor authentication.
“Phishing, by definition, requires user interaction. Therefore, MFA that minimizes or removes user interaction altogether are the most phishing resistant,” Sounil Yu, CISO and head of research at JupiterOne, said via email.
Advanced controls such as a device certificate that validates access on an authorized device, origin binding and hardware security keys can eliminate forms of phishing seen in other types of MFA, Yu said.
Taking people out of the authentication equation
While phishing-resistant MFA aims to avoid identity-based attacks, it’s important to note nothing in cybersecurity is foolproof. As such, organizations shouldn’t conflate resistance with infallibility.
“Users will always be a key staple of an organization’s security, but they aren’t the only tool. Organizations that rely on users to prevent phishing attacks will fail,” Corvus Insurance CISO Jason Rebholz said via email.
Recent phishing attacks against Twilio, Cisco, Uber and others were ultimately successful because a human was involved and got duped by threat actors.
“The latest round of phishing attacks strengthens the business case for biometric safeguards, which are more difficult to bypass or manipulate in relation to email or text MFA steps,” said Ron Westfall, senior analyst and research director at Futurum Research.
The many flavors of phishing-resistant MFA
Phishing-resistant MFA, like many modern cybersecurity practices, falls under the umbrella of zero-trust principles and architecture.
Digital Identity Guidelines from the National Institute of Standards and Technology establishes three authenticator assurance levels. The highest level, AAL3, requires hardware-based keys with cryptographic protocols.
FIDO2 and WebAuthn authentication via hardware-based keys are among the most commonly cited forms of phishing-resistant MFA under level three.
Both standards aim to replace passwords via strong cryptography tied to an external authenticator such as a USB security key, a device in the user’s possession or credential management APIs.
However, those outcomes must be configured and only work when the preferred standard for authentication is universally supported.
These more secure protocols require “tokens based solely on what a user has, instead of something they know,” Daniel Thanos, VP and head of Arctic Wolf Labs, said via email.
Other forms of phishing-resistant MFA include browsers that support biometric tokens or physical security keys, and authentication requests that are cryptographically signed and unique to the originating domain.
While authentication standards could be further refined, the reality is many organizations don’t implement MFA at all and this leaves them wide open to data breaches, Thanos said.
Most organizations are at NIST’s authentication level one (password only), level two (MFA), or a mixture of both, Thanos said.
Every federal agency is required to use phishing-resistant MFA, following guidance from the Cybersecurity and Infrastructure Security Agency and NIST, by fiscal year 2024.
Phishing-resistant MFA doesn’t eliminate phishing, but it significantly increases hurdles for attackers, Rebholz said.
Therein lies the more realistic goal for cybersecurity at large — every layer of protection could be the barrier that defends an organization against attack.
“Defenders cannot assume the identity system works perfectly at all times,” Peter Firstbrook, research VP at Gartner, said via email. “We have to assume failure and prepare for these types of bypasses, rather than keep searching for the perfect authentication method.”