Is Your Organization Ready for Phishing-Resistant MFA?

Published: July 5, 2024
  • MFA’s do not meet emerging cybersecurity standards and industry best practices
  • RFID and NFC products can be a better alternatives in combatting the dangers your company and employees face

A growing number of organizations are moving to multi-factor authentication (MFA) for logging into computers, networks and applications.

That’s a wise business practice, but many popular forms of MFA, such as one-time codes and push notifications, do not meet emerging cybersecurity standards and industry best practices.

For maximum security, IT departments should help their companies migrate to more secure, phishing-resistant forms of MFA.

The Problem with Phone-Based MFA

Currently, the most common forms of MFA used by corporations are one-time codes (which may be sent via email or SMS text or generated by an authenticator app) and push notifications. Both methods rely on the user having access to a trusted device (usually a smartphone) to receive the code or notification.

When combined with a username and password, these methods provide an additional layer of security, confirming that the person logging in is who they say they are.

However, these methods are far from foolproof—or, to be more precise, far from phishing-proof. Cyberattacks have grown increasingly sophisticated in recent years, and many forms of phishing, social engineering and data interception have explicitly arisen to defeat these common forms of MFA.

“Push” Problems

Push notifications require the user to hit accept on a notification sent to their smartphone. While easy for end users, push notifications are vulnerable to both social engineering and push bombing.

In a push bombing attack, the user is repeatedly sent push notifications, often making their smartphone largely unusable until they finally accept (accidentally or in frustration).

Social engineering may be used to trick users into accepting the push notification—for example, in the form of a phone call from someone pretending to be part of the IT department or another trusted authority.

Issues with One-time Codes

One-time codes are also problematic. First, they are highly cumbersome for users, resulting in more failed login attempts and lost time. Users may have to wait for a code to arrive via text or email and then enter it along with their login credentials.

Alternatively, they may use an app such as Google Authenticator, which generates new one-time codes for registered applications every 30-60 seconds.

  • Users may be tricked into revealing their one-time codes or entering them into a fraudulent login screen via sophisticated phishing or social engineering attacks. While one-time codes do expire, cybercriminals only need moments to take control of an account.
  • Codes sent via SMS text are vulnerable to a form of attack called SIM swapping, in which attackers trick cellular carriers into transferring the target’s phone number to a SIM card that they control.
  • One-time codes can also be vulnerable to other forms of data interception, such as keyboard loggers or by exploiting vulnerabilities in communication architecture (known as SS7 protocol vulnerabilities).

What is Phishing-Resistant MFA?

Phishing-resistant MFA refers to authentication methods designed to mitigate the risks posed by phishing attacks—and, not incidentally, other forms of data interception. They typically do this by eliminating the requirement that users create, remember and manually enter login credentials.

Many IT professionals are familiar with hardware tokens such as FIDO2 keys. Employees’ existing physical access credentials (e.g., RFID prox cards, smart cards or NFC mobile credentials) can also serve as phishing-resistant passwordless MFA solutions.

Innovative solutions enable a user to log into a computer or other office device (such as a networked multifunction printer) by simply tapping the card, token or smartphone over a reader embedded in or attached to the device. The second form of authentication can be a simple user PIN or a biometric factor.

Advantages of RFID/NFC Solutions

These methods of MFA provide significant advantages both in terms of user convenience and security.

  • They take advantage of a resource employees already carry, such as an ID badge or smartphone, which simplifies rollout and user acceptance. With card-based solutions, employee pushback on the use of personal devices is wholly eliminated.
  • They eliminate user-managed passwords and provide true multi-factor authentication, which greatly improves security and complies with emerging cyber insurance, HIPPA, financial industry, defense contractor and other industry MFA requirements.
  • Since users do not know their login credentials, they can’t be tricked into revealing them via phishing or social engineering. The user’s PIN is useless without the physical card or phone.
  • True MFA login is now faster than single-factor login with a typed password and much faster than phone-based MFA using one-time codes or push notifications (which still require passwords). This enhances user productivity and reduces the burden on IT related to password resets and login support, which more than pays for the cost of the MFA service.
  • There are a variety of low-cost, highly flexible solutions available, in both on-premise and Software-as-a-Service (SaaS) models, that are a breeze to set up and administer to suit almost any conceivable requirements.
  • No infrastructure investment or server modification is required, unlike public key infrastructure (PKI) solutions.

Meeting Modern Cybersecurity Standards

Due to rising cybersecurity threats, phishing-resistant MFA is now recommended by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) and other security experts. Forms of phishing-resistant MFA include FIDO2 security hardware tokens and RFID/NFC+PIN

Implementing modern, phishing-resistant MFA will help organizations maintain compliance with regulatory requirements for information security, such as ISO/IEC 27001, the Federal Information Security Management Act (FISMA) for government agencies, HIPAA for healthcare providers, the Family Educational Rights and Privacy Act (FERPA) for educational institutions, and the American Bar Association (ABA) Model Rule 1.6(c) for lawyers.

Companies offering cyber insurance are also increasingly pushing organizations to implement phishing-resistant MFA to reduce risks associated with phishing, ransomware attacks and compromised passwords.

Moving Away from MFAs

IT professionals can help organizations stay ahead of emerging requirements and significantly reduce cyber risks by moving to phishing-resistant MFA now. RFID/NFC+PIN is a simple, CISA-compliant solution that can be implemented using a corporate ID card or smartphone that employees already carry for access applications.

Employees simply use their existing ID card or a mobile credential on their phone to unlock computers, printers and other office equipment. RFID/NFC+PIN can also be combined with single sign-on (SSO) software for access to business networks, files and applications, whether workers are in the office or remote. It’s the easiest way to implement phishing-resistant MFA and ensure ongoing compliance with industry cybersecurity standards.

Related Stories: 

About the Author: Mike Harris serves as the senior manager of business development for ELATEC Inc. in Palm City, Florida. In his position, Mike is responsible for connecting ELATEC market needs and its internal teams, including Product Development, Engineering, and Sales. He has a Master of Science in Physics from Southern Methodist University and held global product management positions at Elo Touch Solutions and Ocular LCD Inc. before joining ELATEC.