The rise of remote work and digital transformation has led to an increase in login-based attack vectors. While multi-factor authentication (MFA) is a common way to protect against unauthorized access, not all methods can defend against sophisticated attacks. To achieve full zero-trust access, MFA is being replaced by phishing-resistant authentication methods. To fully appreciate phishing-resistant MFA, it helps to know the vocabulary. Account takeover is when an attacker successfully compromises a target account with the intent of committing fraud. Phishing attacks attempt to steal personal data using social engineering techniques. Man-in-the-Middle (MiTM) attacks intercept and/or alter data traveling between two parties. Authentication establishes that a user attempting to access a digital service is in control of valid authenticators.
2FA, or two-factor authentication, requires the combination of two different types of factors to access protected resources. MFA requires multiple means of identification at login, making it the most secure method for authenticating access to data and applications. Biometrics are physical or behavioral human characteristics used as a factor of authentication. Phishing-resistant MFA refers to multi-factor authentication protected from attempts to compromise the authentication process through phishing attacks. Several elements are required to qualify an authentication method as phishing-resistant. SMS OTP and push notification OTP are two types of authentication methods, with push notification OTP being considered more secure than SMS OTP.
The Fast Identity Online (FIDO) alliance was created to offer a secure way for consumers to authenticate to online services. FIDO2 is a global authentication standard based on public key cryptography. Passkeys are more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage. The FIDO protocol requires a “user gesture” before the private key can be used to sign a response to an authentication challenge. PKI is the collection of policies, processes, and technologies that allow you to sign and encrypt data, and it underpins the basis of all trustworthy online communication. PIV is a physical artifact containing identity credentials for a double combination of two secure authentication assets. CBA allows users to authenticate with a client certificate instead of passwords.
In 2021, the US Executive Order 14028 was issued to help protect against cyber threats to the nation’s critical infrastructure. As remote work and digital transformation continue to grow, it is crucial to understand and implement phishing-resistant MFA to ensure secure access to data and applications.