Man pointing finger at virtual login screen showing multi-factor authentication (MFA)

Not All Multi-Factor Authentication Is Created Equal

Multi-factor authentication (MFA) continues to be a vital component of any identity security initiative, but a rapidly changing threat landscape is progressing past the capabilities of many legacy solutions. The resources to get past traditional MFA solutions are now available to even the most rudimentary hackers, and many MFA platforms simply aren’t designed to keep up – with either hackers or evolving guidelines. As such, MFA is swiftly shifting from organizations’ greatest defense against data breaches to one of their most glaring weaknesses.

Federal guidelines are calling for a new era of MFA

On the heels of catastrophic data breach incidents at organizations like SolarWinds, Microsoft Exchange, and Colonial Pipeline, the US federal government took action. In May 2021, President Biden signed an Executive Order to modernize cybersecurity, wherein federal agencies and third-party contractors had 180 days to implement cloud services security, zero trust architecture, and MFA.

This was a groundbreaking initiative, and just seven months later the US federal government upped the ante. In January 2022, the Office of the Management and Budget (OMB) released a memo with a roadmap for transitioning government agencies to zero trust architecture by 2024. This same memo explicitly instructed agencies to adopt phishing-resistant, passwordless MFA.

These executive communications should be considered a stake in the ground. They are confirmation of what many security leaders have already suspected – MFA is undoubtedly a cybersecurity best practice, but most MFA solutions are ill equipped to navigate today’s increasingly active threat landscape.

MFA must be phishing resistant to be effective

The use of an emerging phrase like “phishing resistant” in a federal memo is significant, but it begs the question – what does phishing resistance mean in today’s modern workplace?

Many legacy MFA platforms rely on easily phishable factors like passwords, push notifications, one-time codes, or magic links delivered via email or SMS. In addition to the complicated and often frustrating user experience they create, phishable factors such as these open organizations up to cyber threats. Through social engineering attacks, employees can be easily manipulated into providing these authentication factors to a cyber criminal. And by relying on these factors, the burden to protect digital identities lies squarely on the end user, meaning organizations’ cybersecurity strategies can hinge entirely on a moment of human error. Beyond social engineering, man-in-the middle attacks and readily available toolkits make bypassing existing MFA a trivial exercise. Where there is a password and other weak and phishable factors, there is an attack vector for hackers, leaving organizations to suffer the consequences of account takeovers, ransomware attacks, data leakage, and more.

A phishing-resistant MFA solution completely removes these factors, making it impossible for an end user to be tricked into handing them over even by accident or collected by automated phishing tactics. Instead, this next generation of MFA platforms utilize phishing-resistant factors, including:

  • Local biometrics, like facial or fingerprint recognition, which are unique to each user and are stored securely in specialized hardware (TPM/Secure Enclave), not in easily breached databases.
  • Cryptographic passkeys that are securely stored on the endpoint in a TPM/Secure Enclave. The corresponding public key is stored in the cloud. This method cryptographically ties each user to their device and ensures nothing phishable transits the network. This provides trust in the user identity and that users are logging in from an authorized device.
  • Hardware security keys which remove the need for push notifications while requiring the physical device is in operation to access sensitive information.
  • Device-level security posture checks that are continuously performed to ensure each device meets security policies prior to and then after granting access to apps.

Anytime organizations introduce a human to the authentication process, they increase friction, risk, and introduce the potential for social engineering. By doing away with phishable employee-controlled factors like passwords, one-time codes, or security questions in favor of cryptographic signatures, organizations can establish a much higher level of trust in the identity and also deliver a streamlined user experience.

Hackers are evolving, but only some MFA is keeping pace

To remain compliant with changing regulations and stay one step ahead of cyber criminals, organizations are widely adopting MFA platforms. But the type of MFA matters. Phishing-resistant MFA removes the vulnerabilities that hackers have come to easily exploit while top-tier solutions also provide a frictionless authentication process to ensure that it can be easily adopted by organizations. It eliminates the potential for human error, taking ownership of cybersecurity away from the employee and into the hands of new, much more secure methods.

Not all MFA is created equal, as the vast majority of the MFA in use today is easily phishable. But phishing-resistant MFA can modernize authentication and bolster cybersecurity architectures to provide a fortified first line of defense against ransomware, data breaches, and account takeover attacks.