kras99 -


Traditional MFA isn't enough, phishing-resistant MFA is key

Not every MFA technique is effective in combating phishing attacks. Enterprises need to consider new approaches to protect end users from fraudulent emails.

Phishing attacks are growing, both in numbers and the damage they do.

These campaigns cost $4.76 million on average for targeted organizations, according to the "IBM Cost of a Data Breach Report 2023." Cybersecurity services company AAG IT Services reported as many as 3.4 billion phishing emails are sent each day by cybercriminals trying to trick end users into revealing sensitive data and personal information they can later exploit. In response, enterprises have added more and better cybersecurity awareness training programs to their rosters to help educate end users about insidious threats.

Between end-user fallibility and attacker ingenuity, however, employee training can only go so far. Technology such as MFA is, therefore, key in preventing phishing attacks. Yet, traditional MFA has been proven weak. Now, phishing-resistant MFA is entering the picture, with authentication techniques, such as Web Authentication (WebAuthn) and public key infrastructure (PKI)-based MFA, that can stop MFA bypass attacks.

MFA isn't strong enough

MFA has played an important part in the fight against phishing by making it more difficult for malicious hackers to employ end users' login credentials for their gain. But the technique, in which users are required to provide two or more factors to prove they have access rights to a resource, is not a magic bullet.

In fact, some MFA implementations are simply ineffective. For example, some are susceptible to cyberthreats, such as push bombing, in which cyberattackers push out a high volume of notifications to end users requesting they enter their credentials. Threat actors then use these legitimate credentials to gain initial access to victims' networks and then send a second factor to their own smartphone or other device to gain complete access.

SIM swap attacks are another phishing concept that outsmarts some MFA systems. Also referred to as simjacking, SIM swap attacks tap the mobile operators' number porting functions to take over accounts when the second control -- a call or text message to the user's mobile device -- is sent.

Enter phishing-resistant MFA

Phishing-resistant MFA is exactly what it sounds like: using authentication methods that are resistant to MFA bypass attacks, such as push bombing and SIM swapping.

CISA, which calls phishing-resistant MFA the "gold standard" of phishing protection, issued guidelines urging enterprise IT security staff to implement phishing-resistant MFA to better protect against these campaigns. The agency cited two MFA techniques in particular:

  1. WebAuthn uses the Fast IDentity Online (FIDO) 2 antiphishing authenticator and is deployed as a discrete physical token that connects to a device through a USB, through near-field communication or by being built into a device as a platform. FIDO authentication also can use other factors beyond the "something you have" device -- for example, PIN codes and biometrics.
  2. PKI-based MFA, which works with an enterprise's PKI system, applies several different form factors, including smart cards. While systems that apply PKI can deliver solid protections against phishing and other threats, they also demand sophisticated identity management practices. Moreover, the approach might not support some widely used services and infrastructure.

Phishing-resistant MFA is an important step toward implementing an effective zero-trust architecture. Yet, despite its benefits, phishing-resistant MFA poses the following deployment challenges:

  • Legacy systems might not work with phishing-resistant MFA systems.
  • End users require additional training, which might not scale well in some organizations.
  • End users might not welcome being asked to submit new factors to access resources or might worry phishing-resistant MFA causes bad UX.

That said, enterprises need to seriously consider phishing-resistant MFA to stave off what are increasingly harmful -- and expensive -- phishing campaigns. Making this effort should be a priority for all organizations.

Amy Larsen DeCarlo has covered the IT industry for more than 30 years, as a journalist, editor and analyst. As principal analyst at GlobalData, she covers managed security and cloud services.

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing