Stay One Step Ahead: Legacy vs. Phishing Resistant MDF
Protect Against Phishing Attacks: Learn How Phishing Resistant MFA Keeps You Safe
Kelsey Young, Copywriter and Media Specialist
7 Min Read
Despite increased awareness, phishing remains effective because it preys on human behavior. Attackers craft legitimate-looking emails, messages, or websites to deceive victims into revealing personal information, passwords, credit card numbers, and more.
Phishing, a tactic used by attackers to deceive victims into revealing sensitive information, remains one of the most predominant cybersecurity threats. Thankfully, multi-factor authentication (MFA) has risen as a defense mechanism.
However, not all MFA solutions are created equal.
What is Multi-Factor Authentication MFA?
MFA is a security system that requires more than one form of authentication to verify a user’s identity. Traditional MFA solutions might combine something you know, like a password, something you can access, like a security token or a phone, and a biometric element such as a fingerprint or facial recognition. Learn more about MFA’s in GDC’s article Using Multi-Factor Authentication (MFA) to Protect Sensitive Data.
Legacy forms of MFA
Legacy MFA typically refers to the earlier form of MFA that were adopted widely before newer phishing-resistant technologies were developed.
Types of Legacy MFAs
SMS-Based Tokens
This is a one-time passcode (OTP) to the user’s mobile phone via text message, which the user must input on the authentication screen to gain access to the system or service. This MFA approach capitalizes on the assumption that the user’s phone is in their possession and thus, in theory, only the legitimate user can receive and enter the OTP to verify their identity.
While SMS-based tokens do offer a significant security upgrade over simple username-and-password logins by incorporating something the user has (their phone) with something they know (their password), this method has been scrutinized for its vulnerabilities to interception, SIM swapping fraud, and other social engineering tactics.
Despite these weaknesses, SMS-based tokens have been widely adopted due to their ease of use and the ubiquity of mobile phones, but as cybersecurity threats evolve, they are gradually being supplanted by more robust, phishing-resistant MFA solutions.
Voice-Based Verification
Involves the use of a person’s unique voice patterns as an authentication factor, under the assumption that these vocal characteristics are difficult to replicate. During setup, the user’s voice print is captured and stored, serving as a baseline for future authentication attempts. To authenticate, the user speaks a passphrase, which the system analyzes and compares to the stored voice print.
While voice verification adds a biometric layer of security—”something you are”—it is categorized as a legacy form primarily due to its susceptibility to sophisticated spoofing techniques, background noise interference, and the variability in a person’s voice due to health or environmental factors.
Nevertheless, its convenience and the intuitive nature of using voice commands have kept it in use, particularly in scenarios where hands-free authentication is beneficial. As part of a broader MFA strategy, voice-based verification is facing competition from more advanced biometric solutions like fingerprint and facial recognition, which offer enhanced security and lower risk of duplication.
Email-Based Codes
This involves sending a temporary code or link to the user’s registered email address, which they must enter or follow to complete the authentication process. It builds on the premise that access to the user’s email account constitutes a second factor of authentication, since it is presumed only the user has access to their emails.
This method adds an extra layer of security by ensuring that even if someone has obtained a user’s password, they would still need access to that individual’s email to retrieve the code and gain access to the account.
Email-based MFA is considered less secure than other forms of MFA, such as those using physical tokens or biometric verification, because email accounts can be compromised through phishing attacks, malware, or other security breaches. As such, while still in use, email-based codes are increasingly being replaced by more secure MFA methods.
Knowledge-Based Answers
Often known as “security questions,” a user must provide answers to pre-selected questions that are supposedly known only to them. This form of authentication relies on the concept of “something you know,” serving as an additional layer of security beyond the primary password. Users are typically prompted to set up these questions and answers when creating an account, and they must recall this information when challenged during the login process or while performing certain account actions.
Despite their intent to provide extra security, knowledge-based answers are considered less effective by modern standards because the answers can often be guessed, socially engineered, or mined from publicly available information on social media and other sources.
As a result, these answers can be a weak link in security, and many organizations are moving away from them in favor of more sophisticated and secure forms of MFA.
Phishing-Resistant MFA
Phishing-resistant Multi-Factor Authentication (MFA) incorporates authentication mechanisms designed to withstand attempts at deceiving users into surrendering their credentials.
Unlike legacy MFA methods, phishing-resistant MFA does not rely on shared secrets, like codes or passwords, that could be intercepted or replicated through social engineering tactics. Instead, it uses cryptographic principles and secure communication channels that cannot be easily exploited by attackers.
Techniques such as FIDO2 security keys, which require the user to physically possess and use the hardware token, or biometric verification methods like fingerprint or facial recognition, offer no useful information for an attacker to steal in a phishing attempt.
Moreover, these methods often require user interaction with the device (like pressing a button on a security key or performing a live biometric scan), providing an additional layer of defense.
The inherent design of phishing-resistant MFA methods seeks to minimize the attack surface and significantly reduce the chances of unauthorized account access, even in the face of sophisticated phishing operations.
The Elements of Phishing Resistant MFA
Phishing-resistant MFA incorporates several key elements to ensure that authentication data cannot be easily intercepted, reused, or redirected by phishing attacks:
Cryptographic Security
Utilizes public key cryptography to create a secure challenge-response mechanism that ensures only the holder of the private key (usually in a hardware token or a secure enclave on a device) can authenticate.
User Presence Verification
Requires the user to demonstrate their presence during the authentication process, often through a simple physical action, such as pressing a button on a security key, entering a PIN, or performing a biometric action.
Device Possession Proof
Ensures that the authentication is tied to the original device used for enrollment, such as a smartphone or hardware token, which means even if the credentials are phished, they can’t be used without the device.
Biometric Data
Employs unique biological characteristics of the user, like fingerprints, facial recognition, or iris scans, which are difficult to replicate or steal, as a form of user verification.
Protocol Standards
Implements secure communication protocols, like FIDO2, which includes the WebAuthn standard for web authentication, ensuring the end-to-end security of the authentication process.
Liveness Detection
To counter spoofing attacks, advanced systems ensure that the presented biometric is from a live person rather than a picture or a recording. This can include sensing pulse, heat, or requiring spontaneous actions or expressions.
No Shared Secrets
Unlike traditional MFA methods that use one-time codes sent over SMS or email, phishing-resistant MFA does not use any shared secret that could be intercepted or reused.
Limited Use Credentials
Any credential or token provided for authentication is limited to a single use or session, making it useless for attackers who might intercept it.
Endpoint Verification
Ensures that the authentication request originates from a trusted device and not a device under the control of an attacker.
By combining these elements, phishing-resistant MFA reduces the risk that an attacker can gain access to secure systems through stolen credentials. These elements together create an authentication environment that is resistant to the most common and effective phishing tactics.
Beat Phishing with MFA and GDC
GDC empowers businesses to increase employee productivity, maximize investments, and improve operational efficiencies. Our experienced and certified professionals can discuss your business needs, and your goals for growth to access the right security threat management tools and resources.
Our advanced technologies continuously monitor and analyze your network activity, looking for new and unknown threats. We keep your corporate data safe by implementing security assessments, penetration testing, and vulnerability analysis to detect suspicious activity. Recognizing security threats and implementing preventive solutions is a key focus of our networking and infrastructure experts.
