Phishing has long been a chief attack vector for bad actors to gain access to networks and applications. And despite widespread publicity around the “evils of phishing,” it remains a problem that keeps CISOs and their security teams up at night.
So how do organizations make it more difficult, or impossible, for bad actors to launch phishing attacks to access passwords and other authentication information? They need to adopt something known as “phishing-resistant authentication.” It’s a strategy that reduces the amount of identity thefts as well as unauthorized access to networks and applications.
Traditional authentication methods, such as passwords or SMS-based two-factor authentication (2FA), often fall short against phishing attacks. Here are some of the barriers that organizations can put between themselves and the phishers to greatly enhance security:
- Multi-Factor Authentication (MFA) with hardware security keys: These physical devices are used to authenticate users. They support protocols such as FIDO2 and WebAuthn, which let users authenticate to online services without transmitting a reusable password over the internet. The hardware key must be physically present with the user, making it much harder for phishers to gain unauthorized access. The U.S. National Institute of Standards and Technology (NIST) guidelines advocate for phishing-resistant authentication mechanisms.
- Biometric Authentication: Uses unique biological characteristics, such as fingerprints and facial recognition. Biometrics are often phishing-resistant since authentication factors are inherently tied to the individual. The European Union's General Data Protection Regulation (GDPR) considers the privacy implications of biometric data, requiring stringent security measures for its processing, thereby indirectly promoting the use of secure biometric authentication technologies.
- Public Key Cryptography: Uses a pair of keys - public and private - for authentication. The private key, kept secret by the user, gets used to sign a digital challenge or transaction. The public key, known to the server, gets used to verify the signature. Since the private key never leaves the user's device and can’t be given away, it’s resistant to phishing attacks. Financial institutions and government entities often use public key infrastructure (PKI) for secure communications, digital signatures and authentication.
- Certificate-Based Authentication: Leverages digital certificates to authenticate users. The certificate, issued by a trusted Certificate Authority, validates the user's identity. Since certificates are tied to user devices and require cryptographic verification, it’s resistant to phishing. Certificate-based authentication gets enforced through standards like HTTPS for web security, with mandates from both industry bodies and governments to use HTTPS for all web traffic, ensuring that data in transit gets encrypted and authenticated.
By ensuring that stolen information alone like passwords or SMS codes are not enough for an attacker to gain access to secured resources, any of these approaches makes it much harder for phishers to succeed.
How phishing-resistance becomes critical
Phishing-resistant authentication methods have become critical because of the sophistication of cyber threats and because of evolving industry and government mandates, designed to protect sensitive information and critical infrastructure from phishing attacks. Integrating phishing-resistant authentication helps teams comply with these regulations.
The adoption of these phishing-resistant authentication methods has been further propelled by specific mandates, such as the U.S. Cybersecurity Executive Order that emphasizes the need for federal agencies to adopt secure authentication methods, including MFA and encryption.
Complying with these mandates helps to mitigate phishing and other cybersecurity risks, and also ensures that organizations can avoid potential legal and financial repercussions associated with data breaches and non-compliance.
Practical applications of phishing-resistant authentication
Companies have begun to embrace phishing-resistant authentication. For example, Google requires its employees to use physical security keys for access to its corporate resources. This move significantly reduces the risk of phishing attacks. Banks worldwide have integrated biometric authentication methods, including fingerprint and facial recognition, into their mobile banking apps. It improves user convenience compared to remembering and changing a password, and also aligns with regulatory requirements to secure customer transactions.
In other adoption moves, email encryption services such as ProtonMail use public key cryptography to secure email communications, ensuring that only the sender and intended recipient can read the contents. And, SSL/TLS certificates are widely used on the internet to secure website communications. For instance, financial institutions use certificates to ensure secure connections for online banking services, protecting customer data during transmission.
By adopting such measures, organizations can enhance their security against phishing attacks and ensure compliance with relevant industry and government mandates, a move that represents just the starting point for phishing-resistant authentication. We must now foster a secure and trustworthy digital ecosystem capable of withstanding evolving cyber threats.
Bassam Al-Khalidi, chief innovation officer, Axiad
