In October 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) published a memo in which they “strongly urged” organisations to implement phishing-resistant MFA as a “high priority effort”.
The memo was published in response to a step-change in the availability of phishing kits that bypass most forms of multifactor authentication that are in use today.
Most of today’s phishing attacks use Adversary in the Middle (AiTM) kits. In these attacks, targeted users are tricked into entering their credentials into an attacker-controlled phishing site.
That phishing site is also acting as a proxy – relaying user credentials to the legitimate web application the user intends to sign into. These kits can relay most MFA challenges back and forth between the targeted user and the legitimate web application.
This can allow attackers to capture both user passwords and intercept the session token returned by the legitimate web application to the user’s browser. That session token can then be used by the attacker to access the legitimate application session for the remainder of its duration.
These kits allow adversaries to bypass MFA flows that rely on passwords or one-time secrets. This includes one-time passcodes generated via authenticator apps, SMS and email.
These real-time AiTM phishing capabilities have been publicly available since as far back as 2017. The game changed in mid-2022 when we observed that these capabilities were now available to a larger number of lesser-skilled actors via services that rent the infrastructure, configuration and phishing templates “as-a-service” at fairly affordable prices. We’ve since seen large-scale campaigns that hit millions of Office 365 users every month.
Phishing-resistant authentication is the primary control that stops these attacks in their tracks.
So, what is phishing resistance, by definition? It isn’t any old MFA. It isn’t “Push with Number Matching”. To be truly phishing resistant, the channel being authenticated must be cryptographically bound to the output of the authenticator. In plain English, this means that the domain (address) of the website you are signing in to is tied to your authenticator, to ensure that your authenticator won’t issue your credentials to a fake phishing web page.
There are only a handful of phishing-resistant authenticators available. In Okta’s Workforce Identity Cloud, we offer three phishing-resistant options. Our passwordless authenticator, FastPass, can deliver phishing resistance on Android, iOS, MacOS and Windows, irrespective of whether the device is managed or unmanaged.
We also support FIDO2 WebAuthn authenticators, whether they are roaming (security keys) or platform-based (a TPM built into your device), and whether they are device-bound or multi-device credentials. We also support the use of PIV Smart Cards.
Admins can not only require users to enrol in phishing-resistant authenticators but also enforce the use of these factors to access sensitive applications and data.
Beyond the security benefits, these passwordless methods of sign-in also deliver a superior user experience. In Okta’s recent Secure Sign-In Trends report, we observed that the median challenge time (the time it takes for Workforce users to log in) using phishing-resistant authenticators is a mere 3-4 seconds, while passwords and OTPs take orders of magnitude longer.
What about PassKeys?
PassKeys, or multi-device WebAuthn credentials, offer an industry-standard approach to reducing reliance on passwords in customer identity flows. They provide every user on the internet an option for phishing-resistant authentication.
Providers of consumer cloud services like Google and Apple offer the ability to transfer these FIDO2 credentials between devices. This makes PassKeys fundamentally more usable for consumer applications, breaking down barriers to passwordless.
Okta’s Customer Identity Cloud (formerly Auth0) offers developers all the tools they need to roll out PassKeys to their web and mobile applications.
PassKeys will be a hit. They are going to change user expectations about “signing in” to anything. Within the next 12 months, your staff will demand a similar experience in the enterprise.
In a corporate environment however, PassKeys do not offer the same assurance as device-bound authenticators, given that a PassKey used to access a corporate application can be synchronized to a personal account/device that isn’t managed or controlled by enterprise security teams.
That’s why in Okta’s Workforce Identity Cloud, administrators can write policies that require an authenticator to be phishing resistant AND device bound, among other properties.
In summary
Organisations that have enforced phishing-resistant sign-in flows with Okta call it the most significant security win they’ve had in years. Phishing-resistant authentication provides a fundamentally better user experience while helping relieve CISO anxiety about one less avenue for compromise.