How to Adopt Phishing-Resistant MFA

In a recent blog post, we discussed what phishing-resistant multi-factor authentication (MFA) is and why it matters. In this post, we discuss how organizations should go about adopting unphishable authentication.According to Axiad's 2023 State of Authentication Survey, 49% of respondents said phishing is the most likely attack to happen. In addition, the headlines are full of data breaches based on phishing attacks, so it is easy to see why phishing is such a big problem. This is why organizations like the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and The U.S. White House Office of Management and Budget (OMB) have all recommended that organizations try to stamp out phishing by adopting phishing-resistant MFA.We know that phishing is a major security problem. But why aren’t organizations doing something about it? According to the Axiad survey mentioned above, 64% of respondents said “fear of change” is the top reason for holding onto passwords and non-phishing-resistant MFA. Fears of cost and the time of implementation were also named as key factors.

True Phishing-Resistant MFA Technologies

We noted in the previous blog post the different ways in which organizations use MFA to be unphishable. But ultimately, they all require human intervention, which makes them susceptible to phishing. Whenever a human is asked to do something – whether it’s remembering a password or entering a number into an authenticator app – it creates a “weak link” that can be exploited by threat actors. That’s why true phishing-resistant MFA eliminates humans altogether. Specifically, phishing-resistant MFA uses certificate-based authentication (CBA) backed by public key infrastructure (PKI), or authentication technology complying with the Fast Identity Online (FIDO) standard. These are the two ways organizations can implement true phishing-resistant MFA – any other way is not phishing-resistant.

Certificate-based Authentication

Adopting unphishable MFA can seem like a big task, but it doesn’t have to be. CBA is a mature technology and is in widespread use today in sensitive environments – such as in government, healthcare, etc. CBA might seem like a big deal because it requires a PKI. However, most larger organizations have some sort of PKI in use already, which can be extended to accommodate CBA authentication. Even for those organizations that don’t have PKI, service-based offerings, such as Axiad’s PKI as a service, eliminate the pain of maintaining a PKI by putting all the staffing and technical requirements on the service provider. The client organization can simply focus on what runs on the PKI, such as CBA-based authentication.

FIDO Passkey

While CBA authentication has been around for decades and is mature, the next generation of “passwordless” authentication is the FIDO Passkey. CISA calls FIDO Passkeys the “gold standard of multi-factor authentication.” Unlike CBA, which requires a smart card or other USB-attached hardware device such as a YubiKey, FIDO Passkeys can either use a connected hardware device or the biometrics functionality embedded in most modern computing devices to ensure the end-user is who they say they are. This reduces the barrier to entry and makes the adoption of phishing-resistant MFA a “no-brainer” in most cases.While FIDO passkeys are still relatively new, organizations can still adopt phishing-resistant MFA by adopting CBA now and cover use cases currently not addressed by FIDO passkeys. Then, FIDO passkeys can future-proof this phishing-resistant approach as the standard gets more widely adopted. (To learn more about FIDO passkeys, read our most recent blog on the subject here.)

Moving to True Phishing Resistance

We have already addressed the reasons people cite for not adopting phishing-resistant MFA. Modern phishing-resistant MFA systems can address all these concerns with the following qualities:

  • Phishing-resistant solutions can work with existing identity and access management (IAM) systems rather than replacing them. By overlaying existing solutions and interoperating with them, modern phishing-resistant MFA avoids the “rip and replace” cost and hassle.
  • Phishing-resistant authentication is much less expensive than the costs associated with a typical data breach. In addition to the obvious expenses associated with breach mitigation, there are costs created by employee downtime, lost opportunities, impact to the brand, cyber-insurance, and even sanctions and fines.
  • When adopting unphishable MFA, there’s no need to “drink the ocean” from the start. Successful deployments are the product of careful planning. This includes:
    • Categorizing end-users. Categories typically are broken down by department or function (executives, IT staff, HR, sales, etc.).
    • Mapping authentication levels to each category. Each category in an organization will have different authentication requirements. Authentication privileges should be mapped to them accordingly.
    • Prioritizing the high-risk category. These are the categories of employees that should get phishing-resistant MFA to start. Typically, this includes IT along with people who have access to finances, key intellectual property, and perhaps executive teams.
    • Preparing employees for the new world. Before the technology is deployed, it is advisable to educate employees on why you are moving to phishing resistance and to provide them with day 1 onboarding training before the system goes live.

Unphishable Authentication Summary

Most importantly, moving to phishing-resistant MFA should cause organizations to take a more holistic view toward authentication. In the current world, most larger organizations have multiple IAM systems, not to mention large populations of end users and machines. Moving to phishing-resistant MFA, with an authentication system that works with all these systems, gives organizations an opportunity to rid themselves of this fragmented world and to move to a consolidated authentication strategy. Doing so allows security executives to improve overall security posture, while simultaneously reducing costs by empowering end-users with self- service capabilities and streamlining processes. Finally, there is no reason not to move to phishing-resistant MFA now because CBA is an established standard, and FIDO passkeys can supplant CBA as needed, providing a seamless journey to the gold standard in phishing-resistant MFA.Phishing remains a security scourge, but by removing the weakest link in the equation – humans – there is literally nothing to phish. This makes the adoption of phishing-resistant MFA a rare opportunity for organizations to dramatically improve their security posture and reduce costs by taking a holistic approach to authentication.Click here to learn how Axiad’s solutions can help to achieve phishing-resistant MFA.