With sensitive data and apps dispersed across fragmented computing environments, multi-factor authentication (MFA) emerged as the best way to authenticate and protect our digital identities in the zero-trust security framework. However, MFA is not bulletproof, and not all authentication methods are equally safe.
The mandate for phishing-resistant authentication
In a February 2022 paper, NIST noted that certain MFA implementations, including SMS-based OTPs and push notifications through authenticator apps, are unsafe. “All MFA processes using shared secrets are vulnerable to phishing attacks,” notes the NIST paper. Attacks against companies like Cisco, Uber, and, most recently, Reddit have highlighted MFA limitations and that social engineering attacks like MFA fatigue can bypass the protections offered by multi-factor authentication.
In response to these developments and to protect sensitive data from rising cyber threats, government cybersecurity agencies worldwide have increased their requirements and recommended leveraging phishing-resistant authentication methods. For example, in the US, presidential Executive Order 14028 and the Office of Management and Budget (OMB) memo mandate that “Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.”
In the European Union, ENISA issued guidelines asking organizations to avoid using SMS and voice calls as authentication methods. Instead, they should consider “deploying phishing resistant tokens such as smart cards and FIDO2 security keys.” In addition, CISA, the US Cybersecurity & Infrastructure Agency, recommends in two recent security bulletin advisories the need to implement phishing-resistant MFA.
Government agencies and security organizations highlight FIDO authentication as the go-to solution for implementing phishing-resistant MFA and PKI as an alternative when FIDO is not supported.
Follow a hybrid approach to deploying phishing-resistant authentication
Despite FIDO2 being future proof, it is essential to highlight that this authentication protocol is not a panacea for many organizations: FIDO cannot support all legacy IT resources because it is designed to support only modern apps compatible with the WebAuthn standard.
For example, there are many organizations, especially in the critical infrastructures, healthcare, public administration, or finance sectors, where legacy IT infrastructure cannot support FIDO; they can only rely on PKI authentication to protect against increasing phishing and other cyber-attacks. In addition, FIDO cannot support specific operations, such as digital signature and file encryption, that PKI covers. And finally, there are use cases where businesses are transitioning gradually from PKI to FIDO as they modernize their IT systems and apps.
CISOs and other security executives face the challenge of meeting compliance mandates without disrupting their IT infrastructure and operations. The only way to support all these use cases is through a hybrid approach to phishing-resistant authentication. Allan Ant from Gartner in his presentation at the Gartner IAM Summit, March 2023, Go Passwordless Whenever You Can, Wherever You Can, noted, “FIDO2 promises a universal, standardized approach to passwordless authentication, but at least in the near term, alternative and hybrid approaches will be needed.”
Phishing-resistant tokens
One answer to these concerns is to invest in fusion security tokens that offer the best of both worlds, PKI and FIDO. There are five reasons why businesses should consider investing in these security keys:
- They help organizations adopt FIDO while maintaining traditional PKI use cases such as CBA, digital signature and file encryption.
- They can be utilized on a large variety of devices, improving security for enterprise resources accessed from multiple endpoints through the USB-A and USB-C interfaces.
- They allow organizations to meet the standards required by their market by complying with standards such as Common Criteria, eIDAS, and ANSSI.
- They make the life of IT and users easier: FIDO2 is a passwordless open standard compatible with many Identity Providers, and one security key support multiple use cases.
- They combine FIDO2 with PKI Certificate-Based-Authentication (CBA) in a single authenticator, which means they are designed to protect end users against account compromise through phishing and Man-In-The-Middle Attacks.