What is a Phishing-Resistant MFA?

Phishing is a type of cyber attack where users are tricked into revealing sensitive information like passwords, usernames, credit card numbers, etc. According to the Comcast Business Cybersecurity Threat Report, 80-95% of security breaches happen due to phishing attacks.  

While a strong password helps prevent basic security threats, they’re also easy to bypass. A traditional Multi-Factor Authentication system helps, but it can still be bypassed by phishing attacks if the attacker gains access to user credentials or their personal information. 

Phishing-resistant MFA adds an extra layer of protection by implementing components like passwordless authentication, context-based authentication and more to protect against phishing attacks. 

What is a Phishing-Resistant MFA?

Phishing-resistant multi-factor authentication is an authentication method that does not use shared passwords or authentication methods that hackers can intercept or phish. This prevents any chance of a hacker gaining access to user credentials at any point in the login process.

Most phishing-resistant MFA systems today use passwordless authentication based on FIDO standards or require the use of passkeys. These MFA methods create a cryptographic relationship between the user’s device and the resource they are accessing, making this phishing-resistant MFA more secure than traditional MFA. 

How Does it Differ from Traditional MFA?

A traditional MFA uses three factors: the knowledge factor, such as a password or PIN (something you know); the possession factor, like a one-time password (something you have); and the inherence factor, such as a fingerprint (something you are), to verify a user’s identity. However, this approach can still be vulnerable as hackers might trick users and get their passwords. 

Phishing-resistant MFA uses components such as strong possession and inherence factors to mitigate such attempts and provide better security. For example, it includes authentication methods like private cryptographic keys embedded in devices and touch or facial recognition.

Why is it Important for Businesses to Have Phishing-Resistant MFA?

Human Error in Breaches 

Per the recent 2024 Data Breach Investigations Report by Verizon Business, 68% of breaches involved a component of human error. Some of these breaches were due to phishing attacks or accidental errors, where data was sent to the wrong recipient.

Rapid Increase in Phishing Attacks 

From the advent of ChatGPT in November 2022, there has been a whopping 4,151% increase in phishing attacks, according to SlashNext Report.

Key Components of Phishing-Resistant MFA

Advanced Authentication Factors

Phishing-resistant MFA uses hardware tokens, such as physical devices, that create cryptographic keys, along with biometric authentication and certificate-based authentication, to make it harder for hackers to steal or replicate login credentials.

Risk-Based Factors

Context-based authentication considers multiple contexts related to login parameters, such as the frequency and timing of attempts, device posture, user location, device type and more, to detect risk signals for better security. 

Phishing-resistant MFA leverages context-based authentication to analyse unusual patterns, such as multiple failed login attempts from an unfamiliar region, unexpected device changes, etc.

User Intent

Phishing-resistant MFA needs the active involvement of the user to ensure that access is not granted unknowingly. This prevents falling prey to phishing attacks.

Elimination of Shared Keys

The phishing-resistant MFA uses unique private key pairs for authentication without relying on shared OTPs or passwords. It blocks fake resources and accepts verifying requests only from credible resources. 

Encryption Methods

Every step of the authentication process is encrypted with end-to-end encryption techniques and modern protocols to prevent hackers from utilising data being transmitted over a network.

Biometric Authentication

Phishing-resistant MFA also uses biometric authentication, which uses methods such as fingerprints or facial recognition to verify the user’s identity. It is incorporated in devices such as laptops, smartphones, etc., to add an extra layer of protection. 

Benefits of Phishing-Resistant MFA

• Reduces the risk of phishing-related attacks by eliminating the reliance on OTPs and passwords and strengthens the overall security posture of a company.
• Considers authentication requests only from legitimate sources, blocking unauthorised access.
• Uses advanced authentication mechanisms that can prevent credentials from being easily stolen or replicated.
• Using MFA for phishing attack mitigation improves the overall user experience with simplified and convenient processes.

Best Practices When Implementing Phishing-Resistant MFA

Identify Potential Threats

Identify the resources that you need to protect. This can be sensitive data, resources, and applications. You’ll also need to check your pre-existing MFA and security protocols against current compliance requirements. 

Use Multiple Factors for Authentication

Use multiple factors to create a combination of authentication factors to develop a multi-layered approach to prevent phishing-related threats. Having users employ strong password policies also falls under this approach. 

Use Biometric Authentication

Leverage biometric authentication methods such as facial recognition or fingerprint scanning wherever applicable to cut down on the use of shared credentials like passwords. 

Use Phishing Detection and Protection Solutions

Deploy end-point protection techniques, email filtering systems, and advanced threat detection to block unauthorised access.

Create Awareness

Educate your employees regarding the potential phishing threats by providing training and awareness programs. Also, channels should be implemented where users can report phishing attempts and security incidents. 

Review and Update Security Protocols

Keep yourself informed on recent security threats and update your security policies to meet the current requirements. This can look like performing regular audits on your security systems and monitoring authentication logs to detect suspicious behaviour. 

Wrapping Up

Phishing-resistant MFA is the gold standard for MFA. It is an authentication approach that provides an additional layer of protection to businesses and is more secure than traditional MFA. With the rapid rise in phishing attacks, phishing-resistant MFA has also become an integral part of establishing a well-rounded Zero Trust security model for organisations.

At InstaSafe, we offer Phishing-Resistant MFA under our Zero Trust Network Access solution. We offer three types of FIDO/WebAuthn authentication: security keys, pass keys and Windows Hello. 

The InstaSafe Zero Trust platform is also secured with Cloudflare Turnstile – a discrete verification tool that’s able to identify real users from bots, allowing for seamless security and usability as it functions in the background and does not require active user intervention through CAPTCHA puzzles. 

Frequently Asked Questions FAQs  

1. What is phishing?

Phishing is a type of social engineering attack focused on tricking users into revealing their login credentials. Phishing attacks can come in the form of fake websites or fraudulent emails.

2. Where do phishing attacks come from?

Phishing attacks can come from illegitimate sources, such as malicious links, fraudulent emails and fake web portals. 

3. Which MFA type is most secure?

The FIDO, WebAuthn and hardware-based security keys are considered the most secure MFA methods. For example, FIDO and WebAuthn use cryptographic keys based on information stored in hardware devices or biometrics instead of relying on passwords for authentication.

4. What is the FIDO/WebAuthn Authentication?

FIDO/WebAuthn Authentication is a protocol developed by the Fast Identity Online (FIDO) Alliance. It is a passwordless authentication method used in phishing-resistant MFA to eliminate the reliance on traditional credentials, such as passwords. 

Here, users need to log in to applications using hardware referred to as the FIDO authenticator. It can be embedded into your devices as a platform authenticator or as physical tokens connected to a device as a roaming authenticator. All the registered devices generate a keypair with the hardware to facilitate authentication. They utilise roaming authenticators and possession or inherence factors to enable this process.

5. What do you do if you get hit by a phishing attack?

If you have been hit by a phishing attack, disconnect the device, update passwords that are vulnerable to threats and immediately report it to the concerned official of your company’s IT Security team.

6. How are passkeys phishing resistant?

Passkeys are phishing-resistant as they are tied to a specific origin. They are uniquely created and aligned to a single account. In addition, passkeys are based on public key cryptography, which means a private key is stored on your device and the public key is shared with the server. Furthermore, passkeys cannot be accidentally shared as they are bound to devices.