Why multi-factor authentication is key to fight phishing
As the digital world has evolved and innovated, so have the techniques used by bad actors. Phishing is the most common form of cybercrime – and with 3.4 billion malicious emails sent every day, new communication channels for hackers to exploit, and vast amounts of personal data freely available online, today’s phishing attempts are significantly more complex.
This article originally appeared in the March'24 magazine issue of Electronic Specifier Design – see ES's Magazine Archives for more featured publications.
Despite the rising threat, many organisations are fighting back. By evolving traditional security measures, organisations can ensure they are fortified and ready to fight against these new digital threats.
Don’t become phish food!
In recent years, several solutions have been introduced to combat phishing attacks. Most include some form of multi-factor authentication (MFA), which adds additional layers of authentication and/or replaces legacy security measures such as passwords/ PINs. Two of the most popular anti-phishing solutions on the market today include number matching and passkey technology.
Number matching requires users to input a one-time security code, sent to their personal device, and increases authentication by adding an additional step to the log-in process. However, this also creates unwanted manual processes and friction for the user and, as the Coinbase phishing attack demonstrated, it is not phish-proof.
Passkey technology requires further verification by sending a notification during the log-in process to the device that the user registered with. This can leverage either soft, or hardware-bound solutions. Software-bound passkeys allow for support of passkeys using your smartphone through authenticator applications or clickable authentication links. Microsoft, Google, and Apple have all recently adopted passkey technology for authentication. Though, depending on the security features incorporated by a user’s personal smart device, they have the potential to add additional manual steps to the log-in process, again creating unwanted friction.
On the other hand, hardware-bound passkeys are typically considered more secure than software-bound solutions, as they are purpose-built and offline, and therefore have a significantly smaller attack surface. They allow for support of passkeys using a separate, physical authentication device, such as a FIDO2 token or an access key card. These solutions enhance convenience by removing manual steps and leveraging ‘something you are/have’, as opposed to ‘something you know’. This also negates the risk of users accidentally sharing authentication credentials with bad actors.
When assessing the current anti-phishing solutions market, passkey technology is the closest thing we have to phishing resistance, but the level of security depends on the solution supporting it. If passkey is supported by a solution that relies on ‘something you know’, like with PINs and passwords, then a lack of security and convenience persists. According to IBM, 95% of data breach incidents are caused by human error, so security solutions should seek to reduce this risk through minimising or removing user interaction altogether.
If passkey is supported by ‘something you are/have’, such as a biometrics-enabled smartphone or hardware token, phishing risks are reduced, and convenience is enhanced.
Are you the secret weapon?
The smartphone, PC, access control, and payments industries are already familiar with the value offered by using each person’s uniqueness to strengthen authentication. Through years of familiarisation, via our phones, PCs and laptops, consumers have come to trust and value biometric authentication – 52% of those who use biometrics prefer it over any other authentication method.
By incorporating biometric technology into the authentication process, the need to create, remember and manage a growing list of passwords and PINs is removed. 60% of consumers feel that they have too many passwords to remember, with some consumers having in excess of 85 for all their professional and personal accounts. Additionally, the potential for human error to cause a data breach is drastically reduced as it becomes impossible to share your log-in credentials externally. Furthermore, no biometric information lives on the device itself. Hacking is made considerably more challenging as the template is stored as a mathematical representation rather than an image.
While innovation is offering more opportunity for organisations to work smarter, it’s also opening the door to sophisticated crime and a continued rise in phishing. While we can (unfortunately) admit that it won’t be eradicated anytime soon, the industry is fighting back with innovative solutions.
PINs and passwords are no longer sufficient to keep phishers at bay so MFA processes should be considered the bare minimum. As a guide for best-practice, we should look to incorporate some form of passkey into authentication processes. For those looking to achieve authentication nirvana and further fortify against phishers, a passkey process that is supported by biometrics will ensure robust security and a seamless user experience.