One size doesn't fit all for multi-factor authentication

Today’s relentless online criminals have made it necessary to not only employ multifactor authentication in securing IT networks and apps, but to make sure that such authentication can also be phishing-resistant.

Why is phishing-resistant MFA necessary? In December 2023, StationX neatly summed up phishing attack trends, Top Phishing Statistics for 2024: Latest Figures and Trends. They noted that “phishing is the single most common form of cybercrime. An estimated 3.4 billion emails a day are sent by cyber criminals, designed to look like they come from trusted senders. This is over a trillion phishing emails per year.”

They also noted that 36% of all breaches are due to phishing and that phishing accounts for 45% of all ransomware attacks.

These staggering statistics point towards why agencies need to improve access controls. Let’s consider the underpinnings of the federal zero trust strategy and how that should be combined with various approaches to MFA.

Federal Zero Trust Strategy

Executive Order 14028, issued in May 2021, stressed that the federal government and private companies doing business with the government must move to secure cloud services and a Zero Trust architecture, including multifactor authentication and encryption.

The Zero Trust Strategy places significant emphasis on stronger enterprise identity and access controls, including MFA. It prioritizes defense against sophisticated phishing, directing agencies to consolidate identity systems for better protection and monitoring—“Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.”

Phishing-Resistant MFA Components

Federal agencies require three core Identity and Access Management functionalities to develop a phishing-resistant multifactor authentication system:

Enterprise-wide identity systems. Tightening access controls requires agencies to leverage data from different sources, such as analyzing device and user information. An enterprise identity management system must integrate across agency applications. It should be compatible with common applications, and integrate both among agencies and with externally operated cloud services. Modern open standards can assist with this integration.

Multifactor authentication. While MFA generally protects against common methods of gaining unauthorized account access, not all multi-factor authentication methods can protect against sophisticated phishing attacks. Consequently, phishing-resistant approaches to MFA are essential for agency staff, contractors, and partners. Options include PIV, FIDO2 and Web Authentication-based authenticators, and PKI certificate-based smart cards.

User Authorization. At present, federal systems focus on role-based access control (RBAC). This relies on static pre-defined roles assigned to users; these roles determine users’ permissions within an organization. A zero trust architecture, on the other hand, should incorporate more granularly and dynamically defined permissions, such as attribute-based access control (ABAC).

NIST defines ABAC as access control method “where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.” 

Authorization systems should incorporate at least one device-level signal alongside identity information about the authenticated user when regulating access to enterprise resources.

The Problem with Some Authenticators

In February 2022, NIST provided an MFA update stating, “All MFA processes using shared secrets are vulnerable to phishing attacks.” This includes authentication methods that rely on memorized secrets, look-up secrets, out-of-band authentication (SMS/PSTN) including push notification, and one-time-passwords (OTP).

SMS authentication is considered insecure by NIST. Authentication using Public Switched Telephone Networks is similarly considered insecure because of the possibility of device infection, authentication spamming and other social engineering. And while NIST considers PUSH OTP to be a better MFA method than SMS/PSTN authentication, it is not considered to be phishing-resistant.

Still, phishing resistant MFA methods may not be suitable for all contexts and circumstances. Therefore, NIST recommends that, besides using phishing-resistant MFA when needed, organizations should have at least one other authenticator that is not restricted, appropriate to the necessary level of assurance for the selected app or service.

Even though PUSH OTPs are not phishing-resistant, it could be a secondary approach to MFA some services. That would depend on the user and the sensitivity of the data. Such phone-based authenticator apps can be hardened by combining PUSH OTP with conditional and contextual authentication. Risk monitoring, end-point security and anomaly detection can help ensure the integrity of this approach.

A Combined Approach for Better Security

For even better security, however, IT managers should consider a combination of FIDO2 device-bound passkeys and biometry. This approach would provide phishing-resistant MFA with an enhanced authentication experience.

FIDO2 (or Fast Identity Online) authentication takes advantages of standard certified security keys to authenticate quickly and securely to online services. By replacing passwords with FIDO2 authenticators, apps and users can have a passwordless MFA experience that is resistant to phishing attacks and account takeovers and enables user adoption.

Adding biometric verification to FIDO2 authentication creates a robust security mechanism, that verifies the user's physical traits (biometric data is secured on the authenticator device and is not transmitted). The end-user has a seamless authentication experience, and IT department knows its system is compliant and secure.

All of this goes to show, however, that there may not be a one-size-fits-all approach to MFA compliance, especially when MFA must also be phishing-resistant. Understanding the guidelines for Zero Trust authentication, as well as the range of MFA solutions available, will greatly improve your cybersecurity posture.