kras99 - stock.adobe.com
Phishing attacks are growing, both in numbers and the damage they do.
These campaigns cost targeted organizations $4.76 million on average, according to the 2023 "IBM Cost of a Data Breach Report." Cybersecurity services company AAG IT Services reported as many as 3.4 billion phishing emails are sent each day by cybercriminals trying to trick end users into revealing sensitive data and personal information they can later exploit.
The end user is a clear point of vulnerability. In response, enterprises have added more and better cybersecurity awareness training programs to their rosters to help educate end users about insidious threats, including extensive information on how to prevent phishing attacks. These efforts are showing strong results. According to security vendor Proofpoint's "State of the Phish Report," 44% of employees surveyed said they were familiar with phishing schemes, a 9% jump from 2019. But the survey also revealed the same number -- 44% -- don't realize that just because an email appears to be from a reputable brand doesn't mean it isn't a phishing scam.
Employee training can only go so far, However. Technology such as multifactor authentication (MFA) is key in preventing phishing attacks. Yet, traditional MFA has been proven weak. Now, phishing-resistant MFA is entering the picture.
MFA isn't strong enough
MFA has played an important part in the fight against phishing by making it more difficult for malicious hackers to employ end users' login credentials for their gain. But the technique, in which users are required to provide two or more factors to prove they have access rights to a resource, is not a magic bullet.
In fact, some MFA implementations are simply ineffective. For example, some are susceptible to cyberthreats, such as push bombing, in which cyber attackers push out a high volume of notifications to end users requesting they enter their credentials. Threat actors then use these legitimate credentials to gain initial access to victims' networks and then send a second factor to their own smartphone or other device to gain complete access.
SIM swap attacks are another phishing concept that outsmarts some MFA systems. Also referred to as simjacking, SIM swaps tap the mobile operators' number porting functions to take over accounts when the second control -- a call or text message to the user's mobile device -- is sent.
Enter phishing-resistant MFA
Phishing-resistant MFA is exactly what it sounds like: Using authentication methods that are resistant to MFA bypass attacks, such as push bombing and SIM swapping.
CISA, which calls phishing-resistant MFA the "gold standard" of phishing protection, issued guidelines urging enterprise IT security staff to implement phishing-resistant MFA to better protect against these campaigns. The agency cited two MFA techniques in particular:
- WebAuthn uses the Fast IDentity Online (FIDO) 2 antiphishing authenticator and is deployed as a discrete physical token that connects to a device through a USB, through near-field communication or by being built into a device as a platform. FIDO authentication also can use other factors beyond the "something you have" device, for example, PIN codes and biometrics.
- Public key infrastructure-based MFA, which works with an enterprise's PKI system, applies several different form factors, including smart cards. While systems that apply PKI can deliver solid protections against phishing and other threats, they also demand sophisticated identity management practices. Moreover, the approach might not support some widely used services and infrastructure.
Phishing-resistant MFA is an important step toward implementing an effective zero-trust architecture. Yet, despite its benefits, phishing-resistant MFA poses the following deployment challenges:
- Legacy systems might not work with phishing-resistant MFA systems.
- End users require additional training, which might not scale well in some organizations.
- End users might not welcome being asked to submit new factors to access resources or worry phishing-resistant MFA causes bad UX.
That said, enterprises need to seriously consider phishing-resistant MFA to stave off what are increasingly harmful -- and expensive -- phishing campaigns. Making this effort should be a priority for all organizations.
Amy Larsen DeCarlo has covered the IT industry for more than 30 years, as a journalist, editor and analyst. As principal analyst at GlobalData, she covers managed security and cloud services.