Multifactor authentication (MFA) has formally been around for more than two decades, gaining the most traction in the mid-2000s. At the most basic level, MFA is “something you know (a password),” “something you are (a unique biometric or behavioral characteristic),” and “something you have” (a token or security key) to verify an identity. There are many forms of MFA available today, including SMS, email, and mobile one-time passwords; mobile app push notifications with or without number matching; mobile app with FIDO2; and mobile app with certificate-based authentication (CBA).

Another common form of authentication that has also been around for a long time – 25 years, in fact – is two-factor authentication (2FA), which requires just two authentication types. However, in more recent years, and with the substantial rise in cybercriminal activity such as phishing attacks that are now able to bypass these identity security technologies, traditional 2FA along with MFA just aren’t cutting it anymore.

In this post, we’ll review the history of authentication methods, the current challenges with MFA, and why organizations should implement phishing-resistant MFA to minimize their risk.

The History of MFA

The earliest origin of using a single-factor authentication, such as a password (something you have), dates back to 1961 and a man named Fernando Corbato, an MIT researcher who implemented a simple password program for storing research findings on computers. Then, in 1967, ATM machines required a check plus a four-digit PIN number to verify account ownership, and this combination of something you have and something you know, or two-factor authentication (2FA), is still used in modern ATM cards today.

Fast forward to 1995, and the process became formalized when AT&T filed for a patent for 2FA that was issued in 1998. In 1996, the company developed 2FA over SMS, which authorized transactions by exchanging codes over two-way pagers.

It wasn’t until the mid-2000s that MFA became popular. There are a couple reasons for this: smartphone usage skyrocketed and the rise in ecommerce and internet use led to increased credit card and identity fraud, which, in turn, made organizations more aware of the need for better security practices.

Why Traditional MFA is Broken and Recent Guidance

So, what’s wrong with most traditional MFA methods? Even though MFA requires those three authentication methods, it has become ineffective against stopping cybercrimes because of the various ways threat actors can sidestep it, including phishing attacks, credential stuffing, social engineering attacks, man-in-the middle attacks, push bombing, and more. And the rise of threat actors selling self-service kits, such as phishing kits, makes it even easier for non-technical criminals to execute such attacks. We’ve seen many attacks recently where MFA services have been broken into or where it just wasn’t enforced or required to begin with, including Cisco Duo and Snowflake, resulting in massive breaches.

To combat this evolution in cybercriminal tactics, many federal and national agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and The White House have recommended that organizations move to phishing-resistant MFA. Specifically, the U.S. Executive Office of the President memorandum 22-09 titled “Moving­ the U.S. Government Toward Zero Trust Cybersecurity Principles” states that strong MFA will be required for implementing a zero-trust architecture, and phishing-resistant MFA will be key in stopping sophisticated attacks. It also says that agencies must stop using forms of MFA that are not phishing resistant.

In addition, the FBI Criminal Justice Information Services (CJIS) Security Policy mandates that agencies, including state and local governments, implement Authenticator Assurance Level 2 (AAL2)-compliant MFA, which includes the use of biometrics, by October 1, 2024. This is yet another indicator of the importance of implementing phishing-resistant MFA, that we believe will ultimately trickle down to all organizations.

How to Tell if Your MFA is Broken

Not all authentications are created equal, so just because you have MFA doesn’t necessarily mean you’re protected from phishing attacks – hence all the recent guidance. To get to the root of whether your MFA is broken, organizations must ask themselves: “Do we have phishing-resistant MFA?” If you are using public key infrastructure (PKI) and/or FIDO, then the answer is yes. If you’re using any other forms of MFA, the answer is no.

PKI uses digital certificates to protect sensitive data. These certificates provide a unique digital identity for users, devices, applications, and secure communications from end to end. Today, PKI-based authentication typically accounts for 40% of use cases and can be leveraged for non-browser uses, including workstations (Win, MacOS, Linux), mobile (iOS, Android), Microsoft AD, and server authentication such as remote desktop protocol (RDP), virtual desktop infrastructure (VDI), Citrix, and Secure/Multi-purpose Internet Mail Extensions (S/MIME).

On the other hand, FIDO-based authentication uses a set of open authentication standards leveraging public key cryptography to replace passwords with more secure forms of logins, like biometrics, for example. FIDO accounts for approximately 60% of use cases, covering browser-based authentication use cases such as single-sign on (SSO) applications and Windows workstations. And, in the future, Apple will likely support FIDO passkeys for MacOS.

Since each of these technologies handles different types of use cases and FIDO is still evolving, the combination of these two technologies is what companies need to maximize their cybersecurity posture. However, PKI-based authentication and FIDO can be perceived as too complicated or specialized and organizations may not have staff that is trained or well-versed in these technologies. But that shouldn’t stop organizations from pursuing these authentication methods. Due to recent advancements, particularly in the way PKI can be delivered and managed, it’s becoming easier for organizations to adopt the technology.

How to Implement Phishing-Resistant MFA

Unlike even five years ago, PKI can now be delivered in a way that makes it easy for organizations to implement alongside FIDO. That’s where Axiad comes in. Axiad Cloud delivers in three key areas:

1. Credential Management – Which amplifies the rollout of passwordless and MFA methods across an organizations’ environment by providing a single pane of glass for both end-users and IT to issue and manage those credentials.
2. Cloud-based Enterprise PKI – A full-featured PKI entirely customized to your specifications provides digital identities for anyone and anything in your organization. Axiad maintains and manages all servers, certificate authorities, and HSMs for a simplified PKI experience.
3. Web Authentication Service – Adds support for validation of a range of authentication methods such as OTP (OATH) or FIDO, as well as integration with your ecosystem through protocols such as SAML and Oauth for SSO and Federation, SCIM for provisioning, or RADIUS for authentication.

Axiad Cloud also has an extensive plug and play ecosystem with many other partners, including authentication hardware companies such as Yubico, IDEMIA, Thales, Feitian, and others. For more information, read our Hardware-based Authentication at Enterprise Scale brochure.

Don’t wait another day to secure your organization with phishing-resistant MFA. Contact us!