Phishing Resistant MFA is Key to Peace of Mind


By Bob Lord, Senior Technical Advisor, Cybersecurity and Infrastructure Security Agency

CEOs and IT executives, stop me if you’ve heard this before…

One of the employees at your company gets a call from the local off-site IT support specialist to diagnose a problem they are seeing on the backend, something that if not corrected will lock the employee out.

To help solve this login issue, the alleged IT support specialist directs the staffer to update their password so that it works with the “new” identity access manager. They send them to a password change site and then they ask the staffer to change the password there. The employee then gets an authentication code on their phone, they type that in and bam! Problem solved. Disaster averted.

Or maybe not.  Maybe we now have a whole new and much greater problem that could affect the whole company. Maybe you just gave a hacker access to your company’s internal systems, and maybe they are now able to gain entry into the admin access tools.  

While one can hope that most employees would be better at avoiding phishing scams, it happens all too often—and even a well-informed and trained employee, like our very smart and highly knowledgeable staffer in the example above, can make a mistake as hackers become more sophisticated and have access to better tools. Maybe your company deployed a traditional multifactor authentication, or MFA, for all staff to thwart some of these attacks. And indeed, MFA solves some common attack vectors, like password guessing. But it doesn’t solve all forms of credential theft, as the scenario above illustrates. In that scenario, the attacker asked for, and received, the employee’s username, password, and 6-digit MFA code. These “MFA bypass” attacks are not theoretical risks but are happening in the wild even against well-funded companies with excellent security staff.

Luckily, there is a technology that thwarts these MFA bypass attacks, and we call these technologies (unsurprisingly) “phishing-resistant” MFA. Unlike regular MFA, phishing-resistant MFA is designed to prevent MFA bypass attacks in scenarios like the one above. Phishing resistant MFA can come in a few forms, like smartcards or FIDO security keys.

So what’s a security key anyway? If you haven’t yet heard of them, or perhaps haven’t had time to investigate this technology, security keys are small external devices that either connect to your computer or phone through a port, a biometric or via Bluetooth to enable secure login to websites and applications. Since only the key owner has physical access to their device, phishing scams don’t work, and even weak passwords have an extra layer of protection.

I can’t say it enough: Give every employee a set of security keys and mandate that they use it for access to all internal services. After suffering from an MFA bypass attack, what do victim companies do? Many report that they deploy security keys so the same attacks won’t work again. Why learn the hard way?

Here’s a special note for Software as a Service (SaaS) providers: Many of your customers were convinced to move their data to the cloud in part because they thought it would be more secure. Accordingly, they now expect you to take all the necessary precautions to keep their data safe. In other words, their security has now become your business –and your reputation. Cloud providers should go beyond making security keys available to staff and make it a company-wide policy mandate. Those little keys could be the difference between a failed attack and one that exposes your customers’ data. (Hint to SaaS customers: ask your providers if their staff can access your data without using security keys!)

Many leaders are tempted to double-down on employee education rather than to mandate security keys. But when your staff are up against hard-working dedicated adversaries, training just won’t work. And people who think they are too smart to fall for a con are perfect marks! The benefit of security keys is that when your staff fall for the con—and trust me, they will—the attackers will still fail to compromise their accounts.  

And while it's true that any form of MFA is better than no MFA, we need to be clear that the time has come for all enterprises to roll out security keys to their staff, especially system administrators.

I’ve heard from many people about roadblocks they believe prevent them from fully deploying security keys and eliminating one of the top attack vectors facing organizations of all sizes. But they end up so focused on what they cannot do, rather than what they can do, that they end up doing nothing. We have some recommendations on how to start in this phishing-resistant implementation guide.

Remember, from the hacker’s point of view, it’s their job to trick your staff into doing something that gives them the advantage.  They might even have a sense of professional pride at stake, along with other motivations such as money or even loyalty to an adversarial nation with lots of resources on tap.  Your people are up against some highly resourced and determined adversaries, so give them the help they need.  Security keys take the guess work out of everyday human flaws and errors and offer critical peace of mind for busy company leadership. (I’m looking at you, CEOs and senior executives!)

There is a lot of good information and research out there by organizations like the FIDO Alliance, which I encourage everyone to explore and use.

And for more tips and information from CISA, visit More than a Password | CISA and check out CISA Director Jen Easterly’s blog from last fall, Next Level MFA: FIDO Authentication | CISA.