Is your organization ready for phishing-resistant MFA?

By Mike Harris, ELATEC Inc.

MFAs do not meet emerging cybersecurity standards and industry best practices
RFID and NFC products can be better alternatives to combat cybercrime

A growing number of organizations are adopting multi-factor authentication (MFA) to log in to computers, networks, and applications.

This is a smart business practice, but many popular forms of multi-factor authentication, such as one-time codes and push notifications, do not meet emerging cybersecurity standards and industry best practices.

For maximum security, IT departments must help their organizations migrate to more secure and phishing-resistant forms of multi-factor authentication.

The problem with phone-based multi-factor authentication

Currently, the most common forms of multi-factor authentication used by businesses are one-time codes (which can be sent via email or SMS or generated by an authenticator app) and push notifications. Both methods rely on the user having access to a trusted device (usually a smartphone) to receive the code or notification.

Combined with a username and password, these methods provide an extra layer of security, confirming that the person logging in is who they say they are.

These methods are far from foolproof, however, or more accurately, far from phishing-proof. Cyberattacks have become increasingly sophisticated in recent years, and many forms of phishing, social engineering, and data interception have been explicitly implemented to thwart these common forms of multi-factor authentication.

“Push” problems

Push notifications require the user to tap Accept on a notification sent to their smartphone. While easy to use for end users, push notifications are vulnerable to both social engineering and push bombing.

In a push bombing attack, the user repeatedly receives push notifications, often rendering their smartphone largely unusable until they finally accept (accidentally or out of frustration).

Social engineering can be used to trick users into accepting the push notification, for example in the form of a phone call from someone pretending to be an IT person or other trusted authority.

Problems with single-use codes

One-time codes are also problematic. First, they are very cumbersome for users, leading to more failed logins and wasted time. Users may be forced to wait for a code to arrive via SMS or email, and then enter it with their login credentials.

They can also use an app like Google Authenticator, which generates new one-time codes for registered apps every 30 to 60 seconds.

Users can be tricked into revealing their one-time codes or entering them into a fraudulent login screen via sophisticated phishing or social engineering attacks. While one-time codes expire, it only takes a few moments for cybercriminals to take control of an account.
The codes sent via SMS are vulnerable to a form of attack called SIM swapping, in which attackers trick mobile operators into transferring the target’s phone number to a SIM card they control.
One-time codes may also be vulnerable to other forms of data interception, such as keyloggers or by exploiting vulnerabilities in the communications architecture (known as SS7 protocol vulnerabilities).

What is Phishing-Resistant Multi-Factor Authentication?

Phishing-resistant multi-factor authentication (MFA) refers to authentication methods designed to mitigate the risks posed by phishing attacks and, secondarily, other forms of data interception. They typically do this by eliminating the need for users to manually create, remember, and enter their login credentials.

Many IT professionals are familiar with hardware tokens such as FIDO2 keys. Employees’ existing physical access credentials (e.g. RFID proximity cards, smart cards, or NFC mobile credentials) can also serve as phishing-resistant passwordless MFA solutions.

Innovative solutions allow a user to log in to a computer or other office device (such as a networked multifunction printer) by simply tapping their card, token or smartphone on a reader that is built into or connected to the device. The second form of authentication can be a simple user PIN or a biometric factor.

Benefits of RFID/NFC solutions

These multi-factor authentication methods offer significant advantages in terms of both ease of use and security.

Card-based solutions leverage an asset that employees already have on them, such as an ID badge or smartphone, simplifying deployment and user acceptance. Card-based solutions make it easier for employees to use their personal devices.
They eliminate user-managed passwords and provide true multi-factor authentication, which significantly improves security and complies with emerging cyber insurance, HIPPA, financial industry, defense contractor and other industry MFA requirements.
Users do not know their login credentials and therefore cannot be tricked into revealing them through phishing or social engineering. The user’s PIN is useless without the physical card or phone.
True MFA is now faster than single-factor login with a typed password and significantly faster than phone-based MFA using one-time codes or push notifications (which still require passwords). This improves user productivity and reduces IT workload related to password resets and login assistance, more than offsetting the cost of the MFA service.
There are a variety of low-cost, highly flexible solutions available, in both on-premises and Software-as-a-Service (SaaS) models, that are easy to configure and administer to meet almost any imaginable requirement.
No infrastructure investment or server modifications are required, unlike public key infrastructure (PKI) solutions.

Meeting modern cybersecurity standards

Due to the increase in cybersecurity threats, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other security experts now recommend phishing-resistant MFA. Phishing-resistant forms of MFA include FIDO2 and RFID/NFC+PIN security hardware tokens.

Implementing modern, phishing-resistant MFA will help organizations maintain compliance with information security regulatory requirements, such as ISO/IEC 27001, the Federal Information Security Management Act (FISMA) for government agencies, HIPAA for healthcare providers, the Family Educational Rights and Privacy Act (FERPA) for educational institutions, and American Bar Association (ABA) Model Rule 1.6(c) for attorneys.

Companies offering cyber insurance are also increasingly encouraging organizations to implement phishing-resistant MFA to reduce the risks associated with phishing, ransomware attacks, and compromised passwords.

Moving away from AMFs

IT professionals can help businesses stay ahead of new requirements and significantly reduce the risk of cyberattacks by adopting phishing-resistant MFA now. RFID/NFC+PIN is a simple, CISA-compliant solution that can be implemented using a corporate ID card or smartphone that employees already carry for access applications.

Employees simply use their existing ID card or a mobile ID on their phone to unlock computers, printers, and other office equipment. RFID/NFC+PIN technology can also be combined with single sign-on (SSO) software to access corporate networks, files, and applications whether employees are in the office or remote. It’s the easiest way to implement phishing-resistant MFA and ensure continued compliance with industry cybersecurity standards.

About the Author: Mike Harris is the Senior Director of Business Development for ELATEC Inc. in Palm City, Florida. Mike is responsible for connecting ELATEC’s market needs with its internal teams including product development, engineering and sales. He holds a Master’s degree in Physics from Southern Methodist University and held global product management positions at Elo Touch Solutions and Ocular LCD Inc. prior to joining ELATEC.