Traditional multi-factor authentication (MFA) methods, namely SMS codes and email links, no longer stop determined attackers because they were designed for a simpler era.
Fortunately, a new generation of authentication technology, commonly referred to as phishing-resistant MFA, is raising the bar for account security by eliminating shared secrets that can be intercepted or tricked out of users. To avoid expensive data breaches, it’s in the best interest of all organizations to adopt these modern authentication methods as soon as possible to protect their users, data, and business operations.
The Cracks in Traditional Multi-Factor Authentication Methods
SMS codes and email-based multi-factor authentication were revolutionary when they first appeared because they added a second layer of security beyond passwords alone, addressing the alarming fact that poor passwords contribute to around 80% of corporate data breaches.
However, these methods transmit shared secrets through channels that attackers can compromise. When users receive an authentication code via text message or email, that code exists in multiple places: on the sender’s servers, in transit through telecom or email networks, and on the recipient’s device. Each point represents a potential vulnerability because it can be breached via phishing or other attacks.
For example, attackers commonly compromise email accounts where MFA codes and confirmation links are delivered through social engineering or credential stuffing. A single compromised email account can then create a cascading failure that leads to many other compromises.
SMS-based MFA is, unfortunately, no better than email-based codes and links. In fact, it has become so vulnerable that CISA now explicitly warns organizations to avoid using SMS codes as a second factor because of how vulnerable it is to SIM-swap attacks. In a SIM swap, criminals convince a mobile carrier’s customer service representative to transfer a victim’s phone number to a new SIM card controlled by the attacker (often using social engineering tactics or stolen personal information). Once the transfer is complete, all text messages, including authentication codes, go directly to the criminal’s device.
Push notifications may seem like a more secure alternative since they don’t involve codes that users can accidentally share, but their weakness also comes down to the human factor. It turns out that cybercriminals have become experts at exploiting user fatigue and confusion through “push bombing” or “MFA fatigue” attacks, where they repeatedly attempt logins with stolen passwords until overwhelmed users approve a request just to stop the notifications. A Microsoft study has revealed that 1% of users will accept a simple approval request on the first try.
How Phishing-Resistant MFA Closes the Security Gap
Unlike traditional methods that rely on shared secrets (codes that can be intercepted or stolen), phishing-resistant MFA methods use cryptographic key pairs that never leave the user’s device. Even if attackers create perfect replicas of login pages or compromise network traffic, they can’t complete the authentication process without physical possession of the actual authentication device.
Several phishing-resistant authentication methods are available today, and each offers unique advantages for different organizational needs and user scenarios.
FIDO2 Security Keys
FIDO2 security keys are small USB or NFC devices that provide the highest level of authentication security available today. The keys use public-key cryptography based on the FIDO2 specification to create unique credentials for each website or application.
When you register a security key with a service, it generates a unique key pair. The public key stays with the service, while the private key never leaves the device. To authenticate, users simply insert the key and tap a button. There are no codes to type, and no notifications to approve.
Popular options like YubiKey and Google Titan Keys work across thousands of services and can protect multiple accounts with a single device. Of course, they are not free, which is why the biggest downside of this phishing-resistant authentication method is how much it costs to implement it.
Passkeys
Passkeys can be seen as a budget-friendly evolution of the FIDO2 technology because they bring the same cryptographic security to smartphones and computers that billions of people already own.
Passkeys are essentially FIDO credentials stored on your existing devices, but from a user’s perspective, logging in becomes as simple as unlocking your phone. When you visit a website that supports passkeys, instead of typing a password, you just use your existing fingerprint, face scan, or device PIN to approve the login.
There’s nothing new to remember, no codes to type, and no extra hardware to carry around. Apple has integrated passkey support into iOS 16+ and macOS Ventura, Google has enabled them across Android and Chrome, and Microsoft supports them through Windows Hello and their authenticator app.
Certificate-Based Authentication and Smart Cards
For organizations with existing Public Key Infrastructure (PKI) infrastructure or strict compliance requirements, certificate-based authentication (CBA) and smart cards provide another path to phishing-resistant security. While more complex to deploy than FIDO2 solutions, they have been protecting government agencies and highly regulated industries for years.
Smart cards like PIV and CAC cards store digital certificates and private keys on physical cards that employees insert into readers or tap against devices. Like FIDO2 keys, they generate unique cryptographic signatures for each authentication attempt that can’t be replicated or phished. The main difference is that smart cards require a more extensive backend infrastructure with certificate authorities and card management systems.
Successfully Implementing Phishing-Resistant MFA
The switch to phishing-resistant MFA can be painless, but only if it’s well thought out. The good news is that organizations of all sizes have already successfully made this transition, and the benefits far outweigh the initial investment of time and resources.
The first step should always be to take inventory of the current authentication setup and identify which systems and applications are most important to protect, as not every account needs the same level of security. For example, email and privileged accounts should be top priorities, while less sensitive systems can transition later. The phased approach helps teams learn and adjust as they go.
Choosing the right authentication method depends on several factors unique to each organization:
- Budget considerations: If cost is a primary concern, passkeys offer excellent security without requiring hardware purchases since they work with devices your employees already have. For highest-security needs, budget $25-50 per user for hardware security keys.
- User demographics: Tech-savvy teams adapt quickly to any method, while less technical staff may prefer the simplicity of passkeys that work just like unlocking their phones.
- Compliance requirements: Organizations in certain regulated industries may need smart cards or specific FIDO2 keys to meet compliance requirements.
- Remote work needs: Organizations with distributed teams should prioritize methods that work seamlessly across locations, and passkeys are ideal for this.
Before rolling out any new authentication method, clear communication about why the change is necessary goes a long way toward successful adoption.
Employees respond better when they understand that phishing-resistant MFA will actually make their daily logins faster and easier, not more complicated, which can definitely be true compared with traditional MFA methods, especially when implemented as part of a passwordless authentication strategy that eliminates the cybersecurity risks employees often create through poor password habits.
By taking a phased, well-communicated approach, organizations can make sure that phishing-resistant MFA not only strengthens their defenses but also improves the user experience. The result is a security upgrade that feels less like an obstacle and more like an enabler that empowers employees to work safely and confidently.
Conclusion
Relying on outdated MFA methods is no longer enough to keep organizations safe. Phishing-resistant authentication technologies represent a necessary leap forward, and they can offer both stronger protection and a smoother user experience.
The transition may seem complex, but with the right guidance, it can be straightforward and cost-effective. OSIbeyond specializes in helping organizations implement modern, phishing-resistant MFA solutions that safeguard critical systems and data. Schedule a meeting with us today.