The role of MFA in the fight against phishing
James Thorpe
Share this content
As the digital world has evolved and innovated, so too have the techniques used by bad actors, writes Fredrik Martinsson, Senior Director of Business Development, Fingerprint Cards.
Phishing attacks are on the rise, with a 47.2% increase in 2022 compared to 2021. This makes phishing the most common form of cyber-crime, with 3.4 billion malicious emails sent every day.
Today’s phishing attempts are significantly more complex for several reasons.
Firstly, there are several new communication channels for hackers to exploit. Previously limited to email as the only possible communication channel for phishing attempts, hackers can now also phish through phones and other personal communication channels.
Secondly, with company and personal data freely available online, phishing emails can be highly tailored and personalised.
Unlike the original phishers, phishers today can litter emails with facts, such as your boss’ name or your company’s address/phone number, to make the email more credible. Recently, hackers have been leveraging AI content generation tools to make phishing more scalable, efficient and credible.
A hacker can provide all the required prompts, taken from publicly available information, for a tool like ChatGPT to create a highly convincing email from, for example, an organisation’s Finance Director or CEO.
This template can then be adapted for each employee within that organisation and instantly shared using a mass email sending program. Email phishing attacks have increased by 1,265% since ChatGPT launched.
But don’t worry. Despite the rising threat, many organisations are fighting back and looking to evolve traditional security measures and fortify against the digital threats of today.
Article Chapters
ToggleHow do we fight phishing?
In recent years, a number of new solutions have been introduced to combat phishing attacks. Most include some form of multi-factor authentication (MFA), to add layers of authentication on top of (or to replace) legacy security measures, such as passwords/PINs.
The best authentication solutions seek to minimise or remove user interaction altogether, reducing the risk of human error, that causes 95% of data breach incidents (according to IBM).
Two of the most popular anti-phishing solutions on the market today are as follows:
Number Matching
This is the default authentication method for all Microsoft Authenticator users worldwide. Users are required to input a one-time security code sent to their personal device when logging into the authenticator app.
This enhances security by adding a layer of authentication to the log-in process. However, it creates unwanted manual processes and friction for the user.
On top of this, phishers have found ways to get around one-time passwords/security codes, as witnessed in the Coinbase phishing attack.
Passkey technology
Based on FIDO Alliance and W3C standards, passkeys replace passwords with cryptographic key pairs.
This requires the user to further authenticate themselves off-site using either soft or hardware-bound solutions.
After the user has input their username and password, the site will send a notification to the device that the user used when they registered their account asking for further verification.
This further verification can leverage either soft or hardware-bound solutions.
Software-bound passkey – these solutions allow for support of passkey using your smartphone through authenticator applications or clickable authentication links. Microsoft, Google and Apple have all adopted passkey technology for authentication. Though, depending on the security features incorporated by a user’s personal smart device, they have the potential to add additional manual steps to the log-in process, again creating unwanted friction.
Hardware-bound passkey – hardware-bound solutions are typically considered more secure than software-bound solutions. This is because they are purpose-built and offline, meaning the attack surface for attackers is smaller. They allow for support of passkey using a separate, physical authentication device, such as a FIDO2 token or an access key card. These solutions enhance convenience through leveraging ‘something you are/have’, as opposed to ‘something you know’.
When assessing the current anti-phishing solutions market, passkey technology is the closest thing we have to phishing resistance.
Yet, the level of security depends on the solution supporting it. If passkey is supported by a solution that relies on ‘something you know’, like with PINs and passwords, then a lack of security and convenience persists.
However, if passkey is supported by ‘something you are/have’, such as a biometrics-enabled smartphone or hardware token, phishing risks are not only reduced, but convenience is enhanced – you’d be more secure than ever and would never have to remember a PIN or password again.
Are you the key to phishing resistance?
The smartphone, PC, access control and payments industries are already familiar with the value offered by using each person’s uniqueness to strengthen authentication.
Through years of familiarisation, via our phones, PCs and laptops, consumers have come to trust and value biometric authentication – 52% of those who use biometrics prefer it over any other authentication method.
By incorporating biometric technology into the authentication process, you become the key to offering more robust security. PINs and passwords are easy to implement, but they are also easily compromised through phishing, data breaches and other social engineering techniques.
With biometrics, it becomes impossible to share your log-in credentials externally. This drastically limits the potential for human error being the cause of a data breach.
In addition, no biometric information is stored in a database. Instead, the information is stored on the device itself as a template in binary code. Storing the template as a mathematical representation rather than an image makes hacking considerably more challenging.
Additionally, as the number of connected systems in our lives grows, it is becoming almost impossible to create, remember and manage a growing list of passwords and PINs. 60% of consumers feel that they have too many passwords to remember, with some consumers having in excess of 85 for all their professional and personal accounts.
The authentication process with biometrics is simple, safe and secure; you never have to remember another password again.
Today, it is estimated that 81% of smartphones globally incorporate some form of biometrics – the familiarity and scalability of biometrics also cannot be understated.
As the market moves towards passkey technology for authentication, most of us will already/will be able to leverage biometrics to support passkey technology.Â
While innovation is offering more opportunity for organisations to work smarter, it’s also opening the door to sophisticated crime and a continued rise in phishing.
While we can (unfortunately) admit that it won’t be eradicated anytime soon, the industry is fighting back with innovative solutions.
PINs and passwords are no longer sufficient to keep phishers at bay so MFA processes should be considered the bare minimum.
As a guide for best-practice, we should look to incorporate some form of passkey into authentication processes. For those looking to achieve total authentication and further fortify against phishers, a passkey process that is supported by biometrics will ensure robust security and a seamless user experience.