How to Prevent Phishing Attacks with Multi-Factor Authentication
Phishing takes advantage of the weakest link in any organization’s cybersecurity system—-human behavior. Phishing attacks are generally launched via email, although some opening salvos have begun using text messaging or phone calls.
In the most common scenario, an email arrives purporting to be from HR or IT, for example. It looks just like any other company email. It advises the viewer to update their personal information or IT profile by clicking on a link or opening an attachment. When the person does so, they are told to enter personally identifiable information, such as their date of birth, full name, SS# and passwords. This enables a bad actor to take over their account, steal their identity and it can also be the initial stage in a ransomware attack that locks the entire company out of IT systems.
According to the countless simulated phishing tests carried out by security awareness training vendor KnowBe4, a third of any employee base is classified as phish-prone. Once trained on phishing scams, 17.6% still have a tendency to be fooled by the latest tricks of cybercriminals. By continuing with user training on security scams and phishing for one year, that number drops to 5%. In other words, it is unlikely that any organization can completely eliminate intrusions caused by phishing attempts. This makes it abundantly clear why every organization needs to institute multi-factor authentication (MFA).
How multi-factor authentication works
One of the best defenses against credential-stealing phishing attacks is multifactor authentication. MFA imposes an additional step that individuals must take to be allowed access. Thus, even if cybercriminals compromise an account, they are blocked from causing harm as they should lack the additional item needed to gain entry.
MFA introduces several extra security factors in the authentication process, including: something you know (i.e., a password), something you have (a phone or email to receive a code) and/or something you are (a fingerprint). By having a secondary code-sharing device or a biometric tool for authentication, MFA makes it harder for credential thieves to get past those security factors.
If someone clicks a malicious link and credentials are stolen, MFA offers another point of verification that the threat actor cannot access, whether it’s SMS, email verification or via an authenticator app.
For the end user, this means that they will have to either provide a biometric identifier on their device or laptop, or be sent a code by text or an authenticator app on their phone. This typically only takes a few seconds. The only hassle might be when there is a delay in the code arriving.
Note, however, that threat actors have stepped up their game by finding ways to compromise MFA credentials. According to an alert from the Cybersecurity and Infrastructure Security Agency:
“[I]n a widely used phishing technique, a threat actor sends an email to a target that convinces the user to visit a threat actor-controlled website that mimics a company’s legitimate login portal. The user submits their username, password, as well as the 6-digit code from their mobile phone’s authenticator app.”
CISA recommends using phishing-resistant MFA as a way to improve overall cloud security against phishing attacks. There are several ways that this can be accomplished.
Choosing the best MFA solution for your business
Any type of MFA will help protect data in the cloud from a phishing attack. Consumer-grade MFA uses a code sent by text. However, threat actors have figured out ways to trick users into sharing those codes. Further, users may leave themselves vulnerable by not setting up MFA across all of their applications and devices or by turning off MFA completely. Therefore, it’s vital that organizations favor phishing-resistant MFA and include two or more layers of authentication to achieve a high level of protection against cyberattacks. Here are some of the features to look for in MFA candidates:
Code sharing
Code sharing operates by sending a text to a mobile phone or a code to an authenticator app in that device. Although code sharing is not enough, it is a good start.
Fast ID Online
Fast ID Online (FIDO) leverages asymmetric cryptography, where separate keys encrypt and decrypt data. Fast ID Online authentication works in one of two ways: through separate physical tokens or authenticators that are embedded into laptops or mobile devices.
NFC
NFC stands for near-field communication, which employs a short-range wireless technology embedded into a physical security key such as a phone, a USB device or fob. Some methods also use a security chip embedded into a smart card.
Recommended MFA solutions
There are several enterprise-grade MFA solutions available.
PingOne MFA
As well as standard MFA features such as one-time passwords and biometrics, PingOne utilizes dynamic policies that IT can use to optimize the authentication process and integrate authentication into business applications.
Cisco Duo
Cisco Secure Access by Duo offers a wide range of out-of-the-box integrations, a simple enrollment process and convenient push authentication features. It is one of the most widely deployed MFA applications.
IBM Security Verify
IBM’s MFA offering integrates with many IBM security tools and IBM products, making it a good choice for businesses favoring IBM tools. It offers both cloud and on-prem versions, as well as adaptive access and risk-based authentication.