What Is Phishing-Resistant MFA?
Ryan Rowcliffe, Field CTO, HYPR
5 Min. Read | May 12, 2022
Phishing, despite its somewhat innocuous name, remains one of the foremost security threats facing businesses today. Improved awareness by the public and controls such as multi-factor authentication (MFA) have failed to stem the tide. Sheer numbers of attacks and more sophisticated and effective techniques put phishing and its variants (spear phishing, smishing, vishing) as the top cybercrime for the last three years, according to the FBI Internet Crime Report. The threat from phishing has become so great that federal agencies are required to implement phishing-resistant MFA by 2024.
So, what is phishing-resistant MFA and how does it differ from traditional MFA? In this article, find phishing-resistant definitions and use cases, and learn why it’s the safest option for organizations.
Phishing-Resistant MFA Overview
Phishing-resistant authentication does not use shared secrets at any point in the login process, eliminating the attacker's ability to intercept and replay access credentials and hardening the authentication process so that it cannot be compromised by even the most sophisticated phishing attacks. Passwordless MFA based on FIDO standards is considered the gold standard for phishing-resistant authentication by the OMB and other bodies.
Phishing-resistant MFA is based on public/private key cryptography and follows the guidelines published by the OMB in its M-22-09 Federal Zero Trust Strategy memorandum and the requirements for “verifier impersonation resistance” outlined by the National Institute of Standards and Technology (NIST) in SP 800-63-3.
Phishing-Resistant MFA vs. Traditional MFA
Multi-factor authentication requires at least two independent factors, something you know (e.g., password, PIN, security question) , something you have (e.g., OTP code, device), something you are (e.g., fingerprint or other biometric marker). Phishing-resistant MFA removes the vulnerabilities that undermine traditional MFA, including any use of a “something you know”’ factor as these are the target of the majority of phishing attacks.
Unfortunately, the most common second factor in traditional MFA is “something you have” in the form of an SMS or OTP. These verification methods are also highly vulnerable to phishing, MitM interception and other attacks. In order for MFA to resist phishing, it cannot use SMS, OTPs or identification attempts through voice calls or interceptable push notifications.
Phishing-resistant MFA does not use any of these weaker authentication factors. It uses a strong possession factor in the form of a private cryptographic key (embedded at the hardware level in a user owned device) and strong user inherence factors such as touch or facial recognition. Equally important, the backend authentication process does not require or store a shared secret.
The State of Counter-Phishing Efforts
Phishing plays a role in various types of attacks. Per the Verizon Data Breach Investigation Report, phishing accounted for 36% of data breaches in 2021 — a significant increase from 25% in 2020. It’s also a key initial attack vector in credential stealing, allowing hackers to initiate fraudulent transactions, deliver malware including infostealers and ransomware and gain an authenticated foothold from which they can move laterally within the system.
In total, accounting for costs ranging from ransomware and lost productivity to malware clean-up and lost consumer trust, phishing costs organizations an average of $15 million annually (or $1,500 per employee.) Unfortunately, the go-to mitigation to prevent phishing, namely adding traditional MFA, have proven inadequate. Sometimes they are even used as part of the attack itself.
Most multi-factor authentication solutions feature a password as one of the verification factors. The additional authentication factor generally is a one-time password (OTP) sent by voice, SMS or email, or a push notification via an authenticator app that the user must accept. Today, automated phishing kits that can circumvent these methods are readily available to hackers. Cybersecurity experts claim that over 90% of all multi-factor authentication is phishable. Due to these MFA vulnerabilities and the threat posed by phishing, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Government Office of Management and Budget (OMB), as mentioned above, have specifically called for phishing-resistant MFA.
Why Organizations Need Phishing-Resistant MFA
While the need for phishing-resistant MFA has been apparent for some time, and was a key driver for establishing the FIDO Alliance, the work from home shift during the pandemic has kicked this into overdrive. A study by Barracuda Networks found a 667% increase in phishing attacks during the height of the pandemic. Remote workers operate outside secure enterprise network perimeters, often accessing corporate resources on unsecured devices and using apps and services that lack strong authentication.
As phishing attacks have increased, so has the incidence of account takeover (ATO), leading to a number of potential consequences for targeted organizations, including supply chain fraud, data theft and the installation of ransomware and other malware. Attackers can also use the hijacked account of one user to escalate attacks within the organization by sending malicious emails from a trusted user.
Multi-factor authentication has proven ineffective against modern phishing campaigns, which are able to phish both the initial login credentials and the second factor. For example, a phishing message might direct the victim to a proxy website while the attacker acts as a man-in-the-middle to steal both the password and OTP code. This is only one of many tactics cybercriminals use to compromise multi-factor authentication that uses OTPs or SMS. Others include running legitimate versions of websites on their own servers, using robocalls to convince users to hand over codes and SIM-swapping, so messages are sent to an attacker’s phone.
The skyrocketing number of phishing attacks in general, accompanied by sophisticated tactics that can circumvent common authentication checks, means that phishing-resistant MFA is no longer optional. Instead, it is the only choice to keep employees and organizations safe from the vast majority of phishing threats.
HYPR Phishing-Resistant MFA
It’s clear that phishing-resistant MFA is critical, but what does it look like in practice? HYPR’s True Passwordless™ MFA (PMFA) is based on the FIDO standards and provides phishing-resistant authentication from desktop through to cloud applications, no matter where your workforce is located.
HYPR leverages public key cryptography to allow for secure authentication that fully eliminates the use of shared secrets between parties. Just as importantly, the HYPR platform is easy to deploy and makes logins fast and easy for the user. Complicated sign-in processes are one of the biggest reasons that people take shortcuts or use unsafe practices that criminals exploit.
To learn more about passwordless security and phishing-resistant MFA, read our Passwordless 101 guide.
Field CTO, HYPR
Ryan Rowcliffe is a technologist with over 20 years in the information technology industry. He has spent the last 7 focused on Identity Access Management, Multi-Factor Authentication and Passwordless MFA solutions. Ryan loves solving business problems with modern innovation mixed with known solutions.