Phishing takes advantage of the weakest link in any organization’s cybersecurity system — human behavior. Phishing attacks are generally launched via email, although some opening salvos have begun using text messaging or phone calls.
In the most common scenario, an email arrives purporting to be from HR or IT, for example. It looks just like any other company email. It advises viewers to update their personal information or IT profile by clicking on a link or opening an attachment. When the person does so, they are told to enter personally identifiable information, such as their date of birth, full name, social security number, and passwords.
This enables a bad actor to take over their account and steal their identity, and it can also be the initial stage in a ransomware attack that locks the entire company out of IT systems.
According to KnowBe4’s 2024 Global Phishing By Industry Benchmarking Report, one in three employees, or 34.3% of an organization’s workforce, are likely to interact with a malicious phishing email. After 90 days of training against phishing scams, 18.9% are still expected to fail a simulated phishing test. After a full year of phishing and security training, this number falls to 4.6% or around 5%.
In other words, it is unlikely that any organization can completely eliminate intrusions caused by phishing attempts. This makes it abundantly clear why every organization needs to institute multi-factor authentication.
How multi-factor authentication works
One of the best defenses against credential-stealing phishing attacks is MFA. This imposes an additional step that individuals must take to be allowed access. Thus, even if cybercriminals compromise an account, they are blocked from causing harm as they should lack the additional item needed to gain entry.
MFA introduces several extra security factors in the authentication process, including:
- Something you know: a password or a PIN.
- Something you have: a phone, USB drive, or email to receive a code.
- Something you are: a fingerprint or facial recognition.
By having a secondary code-sharing device or a biometric tool for authentication, MFA makes it harder for credential thieves to get past those security factors.
If someone clicks a malicious link and credentials are stolen, MFA offers another point of verification that the threat actor cannot access, whether it’s SMS, email verification, or via an authenticator app.
For the end user, this means that they will have to either provide a biometric identifier on their device or laptop, or be sent a code by text or an authenticator app on their phone. This typically only takes a few seconds. The only hassle might be when there is a delay in the arrival of the code.
Note, however, that threat actors have stepped up their game by finding ways to compromise MFA credentials. According to an alert from the Cybersecurity and Infrastructure Security Agency:
“[I]n a widely used phishing technique, a threat actor sends an email to a target that convinces the user to visit a threat actor-controlled website that mimics a company’s legitimate login portal. The user submits their username, password, and the 6-digit code from their mobile phone’s authenticator app.”
CISA recommends using phishing-resistant MFA as a way to improve overall cloud security against phishing attacks. There are several ways that this can be accomplished.
Choosing the best MFA solution for your business
Any type of MFA will help protect data in the cloud from a phishing attack. Consumer-grade MFA uses a code sent by text. However, threat actors have figured out ways to trick users into sharing those codes. Further, users may leave themselves vulnerable by not setting up MFA across all of their applications and devices or by turning off MFA completely.
Therefore, organizations must favor phishing-resistant MFA and include two or more layers of authentication to achieve a high level of protection against cyberattacks. Here are some of the features to look for in MFA candidates:
Code sharing
Code sharing operates by sending a text to a mobile phone or a code to an authenticator app on that device. Although code sharing is not enough, it is a good start.
Fast ID Online
Fast ID Online (FIDO) leverages asymmetric cryptography, where separate keys encrypt and decrypt data. FIDO authentication works in one of two ways: through separate physical tokens or authenticators that are embedded into laptops or mobile devices.
NFC
NFC stands for near-field communication, which employs a short-range wireless technology embedded into a physical security key such as a phone, a USB device, or a fob. Some methods also use a security chip embedded into a smart card.
SEE: Securing Linux Policy (TechRepublic Premium)
Recommended MFA solutions
There are several enterprise-grade MFA solutions available.
PingOne MFA
Along with standard MFA features such as one-time passwords and biometrics, PingOne MFA utilizes dynamic policies that IT can use to optimize the authentication process and integrate authentication into business applications. As a cloud-based MFA service, PingOne MFA can provide stronger authentication by requiring a combination of factors — such as requiring a user to scan their biometric fingerprint specifically on their smartphone.
Cisco Duo
Cisco Secure Access by Duo offers many out-of-the-box integrations, a simple enrollment process, and convenient push authentication features. It is one of the most widely deployed MFA applications and offers a healthy balance between ease of use and overall security. Cisco Secure Access by Duo works well with popular identity providers such as OneLogin, Okta, AD, and Ping.
IBM Security Verify
IBM’s MFA offering integrates with many IBM security tools and IBM products, making it a good choice for businesses favoring IBM tools. It offers both cloud and on-prem versions, as well as adaptive access and risk-based authentication. IBM Security Verify specifically enables MFA with most, if not all, applications and requires very little configuration. Right now, it supports email OTP, SMS OTP, time-based OTP, voice callback OTP, and FIDO authenticator as second factors, among others.
