What Is Phishing-Resistant MFA?

What Is Phishing-Resistant MFA?

The unpleasant genius of phishing attacks is that almost anything can be phished. Most phishing attacks are an attempt to steal a user’s credentials – a username and password – which, as everyone in cybersecurity knows, is relatively easy to do.

For years now, we’ve known that the only protection against this is to combine passwords (the first factor of authentication) with an extra layer of verification (a second factor), also known as two-factor authentication (2FA) or multi-factor authentication (MFA). In theory, all MFA is phishing-resistant MFA and should stop phishing attacks.

Unfortunately, the adage that anything can be phished also applies to some types of MFA, which leaves defenders with an obvious question: Is there a phishing-resistant MFA or does MFA work well enough to be a viable defense against phishing attacks?

The short answer is yes. Even an imperfect MFA is better than no MFA and will stop most attacks. Using MFA always raises the security bar.

However, as this article lays out, MFA comes in many forms. And some of these are more susceptible to MFA bypass attacks than others. The job of defenders, then, is to understand which types of MFA count as phishing-resistant MFA to apply these methods to prevent unauthorized access.

Why phishing is so successful

Attackers can find their way into an organization in several ways, but none is as simple and cheap as sending a phishing email. Phishing is a numbers game. According to the 2022 Verizon Data Breach Investigations Report (DBIR), the number of employees clicking on phishing emails remains static at around 2.9% over the last decade.

This sounds like a small number. But even if only a fraction of those end with a credential compromise (not all phishing attacks are about stealing credentials after all) even a tiny number of successes are enough to give attackers what they seek.

The success of this tactic is all around us. The DBIR reports that a whopping 63% of breaches involved phishing attacks. As an example, this is equivalent to hundreds of annual breaches in a single company’s analysis, many rated severe.

But why are so many organizations vulnerable to phishing years after the problem was identified as a weakness? Very simply because passwords (the first factor) were never designed to be used securely on the scale they are today. And when passwords are stolen, detecting the theft is incredibly difficult, even with expensive layers of security in place. Sophisticated attackers also can employ many different tactics to bypass some MFA methods.

What makes phishing-resistant MFA?

As we mentioned above, passwords (and PINs) count as the first factor of authentication: something the user knows. To this, MFA adds a second factor: something the user has, generates, or is sent. One could keep adding factors to tighten security even more, of course, but the extra challenges would increase user frustration in return for a negligible security benefit.

Not all MFA methods are created equal

How much extra security comes from adding a second factor? The answer depends on which factor is being used. Over time, the number of MFA technologies has increased, which has led to some confusion about their comparative merits.

The main examples are:

  • > A unique SMS code is sent to a mobile device.
  • A unique code is generated via a mobile app.
  • A push notification is sent to a mobile device.
  • A physical token in the user’s possession.

Recently, “passwordless” authentication is also gaining in popularity. This authentication method does away with passwords as the first factor completely and relies instead on a combination of factors such as a user-generated code, a digital credential securely embedded in a smartphone, or a biometric or fingerprint verification. Strictly speaking, what exactly counts as passwordless is debatable. What’s more, these methods still require stored information that can represent a liability.

Some MFA methods aren’t phishing-resistant at all

Most importantly, some of the above MFA methods can be vulnerable to a determined attacker, who can:

  • Intercept SMS codes, or hijack mobile accounts themselves via SIM swapping attacks.
  • Steal app codes using man-in-the-middle attacks.
  • Steal or find a physical token or smartphone.

It’s important to note here that the level of vulnerability is not the same. MFA methods that rely on SMS are notoriously vulnerable to even the most novice threat actors while stealing app codes is much more of a challenge. And getting a hold of the physical token or smartphone, of course, requires sheer luck or extremely targeted coordination.

Phishing-resistant MFA methods

Clearly, some of these compromises are easier than others. For instance, stealing a token would be impossible for a remote attacker. But the vulnerabilities we outline above have given rise to the notion of phishing-resistant MFA, which particularly interests organizations looking to build security around zero trust.

A key weakness of most MFA technologies is the user’s involvement in the authentication process. Users often receive a code that they then type in to complete authentication. Then, attackers can either intercept this code or trick it out of the user using social engineering.

While educating your users about recognizing and avoiding phishing attacks can only help, it’s not enough. Here are two ways to ensure that you have phishing-resistant MFA :

1.     Opt for hardware keys

Hardware keys prove themselves to be particularly resistant to phishing attacks. FIDO keys offer important advantages to resist phishing since an attacker would essentially have to steal or stumble upon the physical key to bypass MFA. Based on the open industry FIDO standard, these phishing-resistant keys support a range of authentication protocols including OATH, HOTPFIDO U2F, and FIDO2 passwordless WebAuthn/Passkeys.

The user simply presents the key, such as a YubiKey or Token2, via USB or Bluetooth and is asked to tap it to confirm authentication. Let’s take YubiKey’s phishing-resistant keys, for example: behind the scenes, the authentication system confirms that the unique PKI cryptographic key embedded in the YubiKey is the one with which it set up a relationship during enrollment. No other key can be used for that login, which proves the user has the correct key in their possession.

2.     Reduce MFA fatigue with risk-based contextual controls

Of course, sometimes hardware keys aren’t the best fit for an organization or user group. Other MFA methods, like authentication apps or MFA Push apps, maybe a better option for several reasons.

But MFA methods based on receiving notifications can interrupt users as much as several times each day. As user frustration rises, this can create vulnerabilities to an MFA fatigue attack. This type of attack happens when an attacker has gained access to a user’s valid credentials (through phishing or otherwise). The attacker then gets an authentic user to accept an MFA request, although they’re not trying to log in. The risk of this attack is highest when users get so many MFA requests throughout the day that they accidentally or absent-mindedly accept them, even when they aren’t trying to log in.

Although these approaches are less inherently resistant to phishing than hardware keys, combining these MFA methods with risk-based contextual controls minimizes the risk of compromise. A good example of this is the ability to limit push notifications used in MFA fatigue attacks to certain times of the day or geolocations. This granularity around how and when to prompt for MFA limits the opportunity for an MFA fatigue attack to target an unwary user.

Sign up for a free demo today to learn more about how UserLock’s phishing-resistant MFA can help prevent unauthorized access to your Active Directory user accounts