So, You’ve got MFA…But Is It Phishing-Resistant?

The Problem with One-Time Codes and Push Notifications 

MFA methods like one-time codes and push notifications were put in place to reduce risks related to compromised or hacked passwords. MFA adds a second layer of security in the form of an additional authentication factor that must be entered along with the username and password. The most common forms of MFA are time-limited one-time codes (which may be sent via email or SMS text or generated by an authentication app at the time of login) and push notifications sent to a trusted device (such as a smartphone). These phone-based methods of MFA are meant to confirm the identity of the person entering the login credentials; the user must have access to a trusted smartphone/device to complete the login.

In theory, this prevents unauthorized logins by people who have acquired user credentials through a data breach or brute force hacking. If they don’t have the user’s phone, they can’t get the one-time code or push notification to complete the login attempt. However, cybercriminals have moved to highly sophisticated forms of phishing and other attacks specifically targeting these forms of MFA. For example: 

• An employee receives a push notification on her smartphone asking her to authorize a login. At the same time, she receives a phone call from someone claiming to be from her IT department, letting her know that they have noticed unusual activity on her user profile and are resetting her account. They seem to know a lot about her and her company, so when they tell her to hit accept on the notification, she does. With the login attempt now confirmed on the trusted device, the cybercriminals can now take over her account, change the security settings and lock her out. 
• An employee receives an email that appears to be from his IT department, telling him he needs to update his password for the company network. The link in the email takes him to a page that looks just like his regular login page, and when he enters his credentials, he is also asked to enter the one-time code generated by his authentication app, like always. The code is only good for a minute…but that’s long enough for hackers to enter it into the real website. 
• A hacker calls the cell service provider for a target and, using stolen account information, convinces them to transfer service to a new SMS card on a phone he controls. Now, all one-time codes sent via SMS text are intercepted by the hacker—allowing him to gain access to multiple applications. 

These are just a few of the methods hackers use to defeat or bypass traditional MFA methods. In addition to phishing and social engineering, push notifications and one-time codes sent to or generated on a cell phone are vulnerable to SIM swapping, keyboard logging and other forms of interception that exploit vulnerabilities in cellphone communication architecture. One-time codes are also highly cumbersome for users, resulting in more failed login attempts and more time wasted, which can reduce compliance with MFA requirements. 

What Is Phishing-Resistant MFA? 

That’s why organizations such as the U.S. Cybersecurity & Infrastructure Security Agency (CISA) recommend that organizations implement phishing-resistant MFA. These are forms of MFA that eliminate the most vulnerable part of the process: the username and password. Instead, users log in via a user credential stored on a physical object (such as a hardware security key or ID card) or a smartphone. The second form of authentication can be a simple user PIN. 

Currently, available authentication methods that meet the standard for phishing resistance include FIDO2 hardware security keys, radio-frequency identification (RFID) cards, or mobile credentials on the smartphone using near-field communication (NFC) combined with a PIN or biometrics as the second factor. Here’s what makes these methods phishing-resistant:

• Users don’t know their credentials, so they can’t reveal them in a phishing or social engineering attack. 
• Authentication happens locally between the physical card, fob or phone possessed by the user and a reader embedded in or attached to the device, so user credentials can’t be intercepted or used remotely. 
• The secondary form of authentication, the user PIN, can only be used by someone who also has the card or smartphone in hand—so even if it is revealed, it is useless to a hacker.

RFID/NFC+PIN as a Phishing-Resistant MFA Solution

RFID/NFC+PIN is the simplest way to implement phishing-resistant MFA. In most organizations, employees already carry an RFID employee badge that they use for building entry. That same card can be leveraged for secure user login to company devices, networks and applications. Alternatively, employees can use a mobile credential stored on the smartphone for authentication. When combined with a user PIN or biometric authentication on the smartphone, this creates a highly secure form of MFA. 

RFID/NFC+PIN offers several benefits for employees and organizations. 

• Easy to use: Logging in with an ID card or smartphone and a PIN is faster than entering a username and password and eliminates the hassle of one-time codes. 
• Secure: RFID/NFC+PIN is more secure than a password with a push notification or one-time code. 
• Easy to implement: Since it leverages the card or phone employees already carry, implementation is easy. 
• Cost-effective: Eliminating passwords also cuts down on IT support time and costs. 
• Flexible: RFID/NFC+PIN can be used for login to devices such as computers and printers and combined with single sign-on (SSO) software for secure login to business networks and applications.
• Compliant: As one of the only MFA methods fully compliant with emerging cybersecurity recommendations, it can help companies meet new cyber insurance requirements and industry standards/regulations governing data protection and cybersecurity, such as NIS2.