Phishing-Resistant MFA Overview
There are plenty of blogs describing the “What” of multi-factor authentication. And, an Axiad blog “7 Reasons Why Phishing-Resistant MFA Should Be Your Goal” provides a solid rationale for the “Why”.So, onwards to the “When / Why Now” rationale for phishing-resistant MFA. It’s time is now because legacy MFA is increasingly vulnerable to a variety of attacks that are increasing in sophistication and frequency, see “The Growing Problem with MFA Fatigue Attacks (And What You Can Do About It)” and “Microsoft’s Warning About How Hackers Are Bypassing MFA – What You Need to Know” blogs.As a result of the factors mentioned in the above sources, the White House OMB “Zero Trust Cybersecurity” memo mandates phishing-resistant MFA for all government entities and by extension the consultants and vendors that do business with them. So, with all this evidence as to why phishing-resistant MFA (also referred to as “passwordless MFA”) is needed, why isn’t it already in place at all organizations (enterprises and government agencies)?The answer is in three parts:
- Because developing an in-house approach is prohibitive in terms of initial coding costs, maintenance, and operations.
- A “wait and see” attitude towards ambitious and collaborative approaches such as FIDO that could take years to fully implement.
- Lack of a pragmatic approach that works today and will encompass new and updated approaches such as FIDO as advances are made.
So the purpose of this blog is to lay out a pragmatic approach to phishing-resistant authentication that is justified by benefits today and whose value will increase over time. The approach is laid out in roadmap format for enterprises and government agencies.
Roadmap Assumptions
To apply authentication everywhere in the organization, a cloud model is optimum. To do so cost-effectively for the organization, it should be delivered in a SaaS model composed of various products that can be added as needed.There are many protocol discussions of passwordless authentication in general versus FIDO and Certificate-Based Authentication (CBA) standards in particular. The pragmatic approach cuts through these discussions by focusing on use cases encountered by most if not all large organizations.A telling use case is Apple MacOS (MacOS) and Microsoft Office 365 (O365). Since MacOS does not support FIDO for desktop logins at this time, CBA is a strong authentication approach. However, depending on the environment, logging on to O365 can best be done with FIDO.So, a pragmatic approach as of this writing is to support both CBA and FIDO (and other passwordless options) since many use cases cannot be fulfilled by either method alone. That leads to another pragmatic recommendation: the SaaS cloud platform for authentication should support both CBA, FIDO, and other passwordless options for efficiency and to eliminate siloes. Not surprisingly, Axiad’s Cloud Platform in fact does meet these criteria.
Pragmatic Roadmap – Step by Step with Axiad
This section outlines a pragmatic roadmap to phishing-resistant authentication with Axiad’s SaaS portfolio of products. It adapts and extends practical advice from the recent CISA “Implementing Phishing-Resistant MFA” memo.
I. Categorize End Users
Not all end users are the same and applying the highest level of controls across the board may not be prudent. So, end users should be categorized into groups by role and each group’s optimal authentication security level be established. A sample grouping would be:
- Baseline: End users that primarily interact with applications and tools.
- Knowledge: Knowledge workers that interact with sensitive company information and Intellectual Property (IP).
- Compliance: Workers that interact with Government or have special obligations such as Legal or Finance.
- IT and Security: Workers that interact with sensitive company systems.
- Executives: End Users that have access and control over sensitive company systems, IP, and personnel records.
II. Map Authentication Level
Not all end users are the same and applying the highest level of controls across the board may not be prudent. On the other hand, managing end users individually is too onerous. So, end users should be grouped. Since every group will not require the same level of authentication strength, authentication level should be mapped to the group. A sample mapping would be:
- Baseline: Passwordless Phishing-Resistant Authentication using CBA certificates stored on the device.
- Knowledge: Passwordless Phishing-Resistant Authentication using CBA certificates stored on a purpose-built device (such as a SmartCard).
- Compliance: Passwordless Phishing-Resistant Authentication using CBA certificates and FIDO credentials stored on a secure purpose-built device (such as a USB Card) that conforms with NIST AAL3 (in some cases may be able to conform to AAL2) authentication.
- IT and Security: Passwordless Phishing-Resistant Authentication using CBA certificates and FIDO credentials stored on a secure purpose-built device (such as a USB Card) that conforms with NIST AAL3 authentication.
- Executives: Passwordless Phishing-Resistant Authentication using CBA certificates and FIDO credentials stored on a secure purpose-built device (such as a USB Key or Smart Card) that conforms to the NIST AAL3 authentication standard.
III. Prioritize High Risk Gaps
Obviously, a finance executive with full access to financial systems is a higher risk for phishing than others. However, at times entire groups – such as the Accounts Receivables team with access to both internal and partner teams – may cumulatively be at the highest risk. On average, these gaps should be prioritized for rollout.
IV. Design and Roll Out Authentication
Phishing tactics are ongoing, increasing in frequency, and growing in sophistication. So, an authentication mapping should be based on what’s on the shelf right now rather than waiting. With that, here are some sample steps.
- Start with Certificate-Based Authentication (CBA): CBA is a variant of the PKI-based MFA recommended in the CISA memo. CBA is a proven technology for authenticating people onto machines, into cloud environments (such as Azure), and into applications. It has recently been accelerated by its adoption as Azure AD’s preferred authentication. Axiad’s Certificate-Based Authentication for IAM seamlessly bolts onto 1 to many Identity Access Management (IAM) systems and provides phishing-resistant authentication without being in the authentication path of the IAM. Axiad’s Credential Dashboard contains utilities for end users to select their authenticator of choice from the options approved by IT and to enroll it in Axiad. Credentials are then issued and the authenticator is automatically provisioned. Rollout status by groups of end users is automatically tracked as well. So, authentication security is improved without disrupting the current authentication with Azure AD and major IAMs.
- Leverage FIDO for key applications such as O365: FIDO is built into Axiad’s other end user authentication offerings (Multi-Factor Authentication and Phishing-Resistant Authentication). So, for use cases where FIDO provides a better authentication experience to end users, it should be implemented. Note that use cases such as authenticating to MacOS then O365 can involve both CBA and FIDO.
Certificate-Based Authentication PrimerCertificate-based authentication is a security measure that uses digital certificates to verify the identity of a user or device. A digital certificate is a file that contains information about the holder of the certificate, such as their name, email address, and public key. The certificate is signed by a trusted authority, such as a government agency or a web server, to verify that it is genuine. Certificate-based authentication is a very secure way to verify the identity of users and devices. The digital certificates used in certificate-based authentication are difficult to forge, and the process of verifying the certificate’s validity is automated. Organizations that use certificate-based authentication can be confident that only authorized users and devices will be able to access their resources. For more information, visit our How Does Certificate-Based Authentication Work? blog.
V. Set a Communication Cadence with Your End Users
Having helped dozens of organizations transform their authentication, Axiad has seen that one non-technical activity is often the key to success: ongoing communications with end users! You should establish a cadence of communication, starting with the overall need to transform authentication, the benefits (more convenient authentication in the long run) to end users, and when they can expect to enjoy these benefits as phishing-resistant authentication is rolled out across the organization.
VI. Establish Ongoing Operations
Monitor the state of authentication across the organization with Axiad’s Unified Portal. Sample tasks using the Credential Dashboard include:
- Assess the rollout progress by group and communicate status to executives.
- Leverage the Credential Dashboard to ensure that credentials that are within a month of expiration are renewed or allowed to expire gracefully.
VII. Define Enhancement Roadmap
As Axiad adds new FIDO, CBA, and other technologies to its cloud portfolio, use Axiad’s automated workflows to roll them out to end user groups in a controlled manner.As new approaches (such as FIDO, Passkeys, etc.) become available, leverage Axiad Cloud’s streamlined workflows to issue the appropriate new credentials and expire the old ones.
Benefits for IT and End Users
Organizations that execute along this roadmap can substantially improve security while seeing operational benefits. Benefits by role are:
- For IT and Security: Streamlined authentication will reduce your workload substantially. Enjoy life (and your weekends) as hackers target other organizations!
- For End Users: Inputting a local PIN is so much more time efficient than waiting for a password to be texted to your mobile device. Find ways to leverage all the time that you save in authentication!
Learn More
For additional information on how we support both FIDO and CBA in a single platform, please view our Cloud Platform page.