Once upon a time, a token with a six-digit code that would change every 30 seconds was the ultimate in multifactor authentication (MFA) technology. As smart phones emerged, security vendors looked to leverage the device as a token – either through texting one-time password (OTP) codes over SMS or through mobile apps that could generate a code or receive a push notification for access.

While these technologies are better than no MFA – and certainly better than using a password alone – they are no longer good enough for many transactions. Attackers have devised ways to compromise legacy MFA solutions at scale; both OTP and push-based MFA are no longer sufficient. To defend against modern attacks, public and private sector organizations must start looking at phishing-resistant MFA to secure their systems.

This past year was full of incidents where attackers circumvented legacy MFA. The recent hack of the U.S. Security and Exchange Commission’s (SEC) X (née Twitter) account was done via a SIM Swap attack. The attacker obtained the phone number associated with the X account and did a password reset – and then used the hijacked account to send out tweets that inflated the cryptocurrency market. X reported that the SEC had disabled MFA on their account.

Sens. Ron Wyden (D-Wash.) and Cynthia Lummis (R-Okla.) sent a letter to the SEC’s Inspector General asking the office to investigate the attack, noting: “The SEC’s social media accounts should have been secured using industry best practices. Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cybersecurity. X has allowed users to restrict access to their accounts exclusively using security keys and to remove phone numbers, which can be easily hijacked by fraudsters, since 2021.”

Then there’s the U.S. Department of Commerce Inspector General’s audit that showed that the agency has not fully deployed strong MFA. The White House Office of Management and Budget has required agencies – as part of the Federal government’s Zero Trust Strategy (M-22-09) to deploy strong MFA, which it defines as MFA that is phishing-resistant, enforced at the application level, and does not force individuals to follow burdensome password requirements.

The audit looked at how four bureaus within the Commerce Department -- Bureau of Economic Analysis (BEA), the U.S. Census Bureau (Census), NIST, and the National Telecommunications and Information Administration (NTIA) -- have implemented strong MFA for access to five high-value assets. Phishing-resistant MFA had not been implemented for access to three out of the five high-value assets.

But agency employees are still using MFA so what’s the big deal? The OIG conducted phishing exercises in conjunction with the audit and found that NTIA employees clicked through phishing emails at 39.7% -- 12% higher than the average for any other agency -- and entered their credentials.

It’s not just SMS OTP and other code-based authentication factor that are susceptible. LAPSUS$ -- a cybercrime ring that breached many large companies – used MFA fatigue attacks. These attacks would repeatedly send a push notification to an employee’s phone in the middle of the night to get them to hit the “Yes, it’s me” button.

Billions of phishing emails are sent each day and with the rise of generative artificial intelligence those emails are going to be more convincing than before. Criminals are using these systems to create credible messages quickly and then automating to scale the attacks.

Social engineering is also on the rise and using smishing, MFA fatigue and SIM swaps to get around legacy MFA. But phishing-resistant technologies can protect companies and agencies. Cloudflare has documented how its use of  FIDO security keys enabled them to block a phishing attack in 2022 that impacted other companies. What was notable was the company’s admission that some of its employees fell for the phishing attack, but it was irrelevant because they had phishing-resistant authentication in place.

The ability of FIDO authentication to stand up to these attacks was a big reason that the government’s Cyber Safety Review Board (CSRB) called for a national effort to accelerate the use of stronger MFA, noting:  

“Organizations (to) urgently implement improved access controls and authentication methods and transition away from voice and SMS-based MFA; those methods are particularly vulnerable. Instead, organizations should adopt easy-to-use, secure-by-default, passwordless solutions such as Fast Identity Online (FIDO)2-compliant, phishing-resistant MFA methods.”

Unfortunately, the authentication threat landscape is only going to get worse, and as it does, the use of phishing resistant MFA will move from an “advanced” practice to table stakes for any organization that intends to block phishing attacks. Organizations and enterprises need to look at how they can help consumers and employees adopt phishing resistant technologies like FIDO’s passkeys, which replace passwords with cryptographic key pairs to deliver both phishing-resistant authentication and a better user experience. The private keys are housed in an individual’s devices -- computers, phones, or security keys -- and can be “discovered” by browsers so that consumer doesn’t have to think about what passkey to use. 

There are two types of passkeys: synced and device bound. Synced passkeys are managed by a mobile device, or computer operating systems, and are synced between the devices via the cloud. The cloud service also stores an encrypted copy of the FIDO credential. Device bound passkeys like security keys are only available on a single device and cannot be copied or exported.

The technology is available now and being rapidly adopted, with FIDO Alliance predicting 20 billion enabled accounts by the end of 2024.

Organizations must start looking at these modern technologies to secure systems. The pace of attacks is increasing quickly – particularly as the emergence of generative AI is enabling adversaries to craft more “picture perfect” phishing attacks to steal credentials – and the efforts to mitigate these attacks needs to be on par. At the very least organizations need to look at implementing phishing resistant MFA for access to high-value assets or suffer the inevitable breach. 

Jeremy Grant & Zack Martin

Read Next

Event Recap: 2024 Identity, Authentication, and the Road Ahead Policy Forum

A recap of the "Identity, Authentication, and the Road Ahead” Policy Forum hosted by the Better Identity Coalition, FIDO Alliance, and the Identity Theft Resource Center.

Better Identity at Five Years: An Updated Policy Blueprint and Report Card

The last five years has seen America make mixed progress on digital identity – in some cases embracing recommendations and moving forward – and in others stalled and rudderless in efforts to counter criminals and hostile nation states.

Cybersecurity Predictions for 2024

The Center for Cybersecurity Policy & Law staff offer their predictions on what's to come in 2024 and the season finale of the Distilling Cyber Policy podcast offers some additional commentary on what's ahead.