The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
The spread of the remote workforce and the growth of digital transformation has exponentiated the number of login-based attack vectors. While multi-factor authentication (MFA) generally protects against common methods of gaining unauthorized account access, not all multi-factor authentication methods can defend against sophisticated attacks. To achieve full zero-trust access, MFA is being replaced by phishing-resistant MFA and the standards that define it.
To give you a complete picture, I have identified key terminology and concepts surrounding phishing-resistant authentication and put them together in this handy glossary. To fully appreciate phishing-resistant MFA, it helps to know the vocabulary.
Achieving Account Takeover (ATO) means successfully compromising a target account with the intent of committing fraud. The account is fully compromised when the attacker can successfully operate as the user with all the pursuant permissions and access privileges. ATO is often initiated by credential theft and can be done using social engineering techniques (phishing attacks) or by bombarding login pages with bot-based attempts.
Phishing attacks attempt to steal personal data such as login credentials, credit card information, or even money using social engineering techniques. This type of attack is usually launched through e-mail messages, appearing to be sent from a reputable source, with the intention of persuading the user to open a malicious attachment or follow a fraudulent URL. The most targeted types of services are SaaS and webmail platforms, as well as payment services. Phishing attacks create many cascading effects, impacting businesses and individuals in many ways.
Man-in-the-Middle (MiTM) attacks
NIST defines a Man-in-the-Middle (MiTM) as “an attack in which an attacker is positioned between two communicating parties to intercept and/or alter data traveling between them.” In an authentication context, this would mean “the attacker would be positioned between claimant and verifier, between registrant and Credential Service Provider during enrollment, or between subscriber and Credential Service Provider during authenticator binding.”
NIST defines “digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject’s digital identity.”
For services in which return visits are applicable, successfully authenticating provides reasonable risk-based assurances that the subject accessing the service today is the same subject that accessed the service previously. Authentication establishes confidence that the claimant has possession of one or more authenticators bound to the credential. It does not determine the claimant’s authorizations or access privileges – for example, what they are allowed to do once they have successfully accessed a digital service.
Two-factor authentication, or 2FA, is an authentication method requiring the combination of two different types of factors to access protected resources. The three types of authentication factors are something you know, something you have, and something you are.
2FA improves the Single-Factor Authentication (SFA) login process. It does this by requiring not only a set of credentials based on what you know, such as a password (which is susceptible to phishing), but a second credential type based on what you possess, like your phone, token, or smart card, or what you are, including biometrics such as a fingerprint.
Multi-factor authentication, or MFA, requires two or more authentication factors before allowing access to gated systems. MFA can be achieved using a combination of the three types of authentication factors (something you know, something you have, and something you are). Because multi-factor authentication security requires multiple means of identification at login, it is widely recognized as the most secure method for authenticating access to data and applications.
Biometrics are physical or behavioral human characteristics used as a factor of authentication (something you are). Usual biometrics are fingerprint, facial recognition, or voice recognition. Using biometrics is another way to unlock the users’ private keys, thereby completing the FIDO2 or PKI authentication process. Safer than a password, the biometry of the user does not leave the device for security purposes and enables secure login without the use of passwords.
Phishing-resistant MFA is multi-factor authentication protected from attempts to compromise the authentication process through phishing attacks. Several elements are required to qualify an authentication method as phishing-resistant, including a strong, trusted relationship through cryptographic registration, eliminating shared secrets, and responding only to valid requests from known and trusted parties. “Phishing-resistant MFA is nothing more than the same authentication process, but people are removed from the equation,” says the SANS Institute.
Phishing-resistant MFA methods include Fast IDentity Online (FIDO), certificate-based authentication (CBA), Personal Identity Verification (PIV), and artifacts governed by Public Key Infrastructure (PKI).
Security experts consider SMS authentication vulnerable to SIM swapping attacks and interception over public networks. When an authentication code is sent via SMS to a mobile device, we must be confident that the message reaches the intended recipient. However, research has demonstrated the increasing success of redirecting or intercepting SMS messages without cost or time.
Push notification OTP
Push notification authentication validates login attempts by sending one-time passcodes to an associated mobile device. Although not phishing-resistant, NIST and other security agencies consider Push Notification OTP to offer higher security than SMS OTP. However, certain weaknesses include being vulnerable to MFA bombing attacks (also called MFA fatigue). The vulnerability can be reduced with number matching. “Number matching is a setting that forces the user to enter numbers from the identity platform into their app to approve the authentication request,” explains CISA (Cybersecurity & Infrastructure Security Agency). The agency recommends using number matching to mitigate MFA fatigue of push notification OTP.
The Fast Identity Online (FIDO) alliance was created to offer a secure way for consumers to authenticate to online services. FIDO Authentication is a global authentication standard based on public key cryptography. With FIDO Authentication, users sign in with phishing-resistant credentials called passkeys. Passkeys can be synced across devices or bound to a platform or security key, enabling password-only logins to be replaced with secure and fast login experiences across websites and apps.
Passkeys are more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage. The FIDO2 protocol is passwordless and uses standard public key cryptography techniques for stronger authentication.
FIDO security keys or FIDO authenticator
A FIDO security key embeds one or more private keys, each dedicated to one online account. The FIDO protocol requires a “user gesture”: the user needs to unlock the FIDO authenticator using their fingerprint, pressing a button on a second–factor device, entering a PIN or other method - before the private key can be used to sign a response to an authentication challenge.
A FIDO passkey is a digital credential connected to a user account and an application or website. It looks like a digital pop-up on a user’s device and can be immediately accepted by the user. Passkeys can be synced across devices or bound to a platform or FIDO security key and enable password-only logins to be replaced with secure and fast login experiences across websites and apps.
Public Key Infrastructure (PKI) is the umbrella term for all assets that establish and manage public key encryption, or “a foundational infrastructure component used to securely exchange information using digital certificates,” as Gartner states. Put another way, PKI is the collection of policies, processes, and technologies that allow you to sign and encrypt data, and it underpins the basis of all trustworthy online communication.
In layman’s terms, a Personal Identity Verification (PIV) is a physical artifact, e.g., an identity card or smart card containing identity credentials (such as biometrics or cryptographic keys) for a double combination of two secure authentication assets “so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer-readable and verifiable).”
Certificate-based authentication (CBA) allows users to authenticate with a client certificate instead of passwords. Trust is given by the party issuing the certificate - typically a Certificate Authority (CA) when maximum security is desired. Self-signed certificates are also in use but do not provide the same level of validation as a trusted CA. CBA can be used in concert with other methods to create a form of phishing-resistant MFA.
US Executive Order 14028
In 2021, to help protect the United States from increasing cyber threats, the White House issued an Executive Order (EO 14028) to improve security in the Federal Government. By 2024, Federal agencies must enforce MFA to access federal systems using phishing-resistant authentication methods such as Certificate Based Authentication (CBA), Personal Identity Verification (PIV) cards or derived PIV, and FIDO2 authentication.
ENISA guidelines for strong authentication
ENISA recommends the use of phishing-resistant authentication for its superior security. However, ENISA qualified this recommendation by advising that more secure authentication should be used “where possible.” Today, the most widely available phishing-resistant methods are FIDO2 security keys or physical PKI smart cards. Practical considerations in relation to hardware management and provisioning, as well as operational constraints, may limit organizations’ ability to deploy them for all use cases.
CISA guidance on Phishing –Resistant MFA
CISA, America’s cyber defense agency, has released two fact sheets highlighting threats against accounts and systems using certain forms of multi-factor authentication (MFA). CISA strongly urges all organizations to implement phishing-resistant MFA to protect against phishing and other known cyber threats. CISA recommends that users and organizations see CISA fact sheets Implementing Phishing-Resistant MFA and Implementing Number Matching in MFA Applications.
To learn more about phishing-resistant authentication:
View the webinar “Conquer Phishing Attacks with Certificate-Based and FIDO Authentication” from Thales and Microsoft.