Try FIDO2 MFA authentication

Password fishing (phishing) is the most successful attack technique, with insecure password logins being responsible for over 80% of data breaches. Furthermore, passwords are a productivity drain: 20-50% of helpdesk calls are password-related. Yet many organizations are still relying on passwords and have not fully implemented multifactor authentication (MFA) on all entry points. Implementing MFA is the single most impactful risk mitigation measure an organization can undertake.

Yet, traditional mobile push based MFA is now increasingly being targeted by attackers, so not all MFAs are equal. Starting from 2021 and on to 2022, Microsoft and other vendors have noticed increasingly sophisticated phishing-as-a-service kits used to target MFA-enabled accounts in SaaS services such as Microsoft365.

Using techniques such as prompt bombing or attacker-in-the-middle, mobile push and other forms of out-of-band MFA are now routinely exploited, as witnessed in recent attacks against Mailchimp, Cloudflare, Twilio, Uber and many others. To see how such an attack looks like from the user perspective, see here.

Organizations are struggling to address these issues with passwords and multifactor authentication, leaving them vulnerable to phishing attacks. This is because historically, reducing reliance on passwords and implementing MFA on all entry points used to be complex and difficult: organizations would typically implement MFA only on VPN access points, while rarely progressing to secure entry points such as RDP and web applications.

Yet modern identity federation protocols such as SAML or oAuth2 now allow web apps to easily delegate authentication to an identity provider, allowing to expand the scope of MFA protected entry points. Usually this is accomplished by adding a modern identity-as-a-service (IDaaS) solution into the infrastructure, which can easily connect and enforce MFA across all organizational applications.

As for addressing MFA phishing issues mentioned above, a new authentication standard called FIDO2 has recently evolved that has quickly gained support from major platform providers (Microsoft, Android, Apple) and browser makers (Mozilla, Chrome, MS Edge, etc.). This makes MFA implementation far more easier and user friendlier, but crucially addresses the concerns around MFA phishing.

Whether you are still dependent on passwords or have push based MFA, consider adding FIDO2 authenticators paired with a modern Identity-as-a-service (IDaaS) solution that can easily integrate with existing applications in your organization.

To familiarize yourself with phishing resistant FIDO2 authentication and IDaaS (Identity as a Service), you can explore Thales' range of solutions. To begin, fill in the form here.