Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CISA Strongly Recommends Phishing-Resistant MFA

    blog.knowbe4.comhubfsSocial Image RepositoryEvangelist Blog Social GraphicsEvangelists-Roger Grimes-1We are excited to see the Cybersecurity Infrastructure Security Agency (CISA) and outgoing Director Jen Easterly strongly recommend PHISHING-RESISTANT multi-factor authentication (MFA).

    The majority of people, including the majority of cybersecurity practitioners, do not know that most MFA…especially the most popular types used today (e.g., one-time passwords, pushed-based, SMS-based, etc.), can be as easily phished or bypassed as the passwords they were intended to replace.

    We have been a huge advocate for PHISHING-RESISTANT MFA since the beginning of the latest MFA push six years ago, and we were among the first companies to promote PHISHING-RESISTANT forms of MFA. When you first read or heard the phrase PHISHING-RESISTANT MFA for the first time, there was a good chance it was from us. We were certainly the loudest, most consistent early advocates.

    Even today, we likely have the only inclusive list of PHISHING-RESISTANT MFA solutions on the Internet.

    The Beginning

    Our PHISHING-RESISTANT MFA journey began back on May 5, 2018, when late Chief Hacking Officer Kevin Mitnick created and published a video demonstrating how easy it was to bypass very popular MFA using simple phishing. Here is the related article published on KnowBe4’s blog.

    Although Kevin likely was not the first hacker to show that most MFA could be as easily bypassed as the passwords they were supposed to replace, Kevin’s video startled many people, and it kicked off a huge round of global media coverage. It was through our resulting PR outreach that we realized that although we understood how easy most MFA was to social engineer around, most people, including most cybersecurity professionals, did not.

    It did not help that many of the most trusted cybersecurity leaders, corporations and organizations were falsely shouting that MFA stopped 99% of attacks. It is not true; it was never true; it will never be true. We wrote an article about it here.

    What is true is that MFA stops of 99% of phishing attacks that ask for people’s passwords, which is only about half of all email phishing. It stops login attacks that only try passwords. But it does not stop file attachment and rogue link phishing, which attempts to get users to download malware. It does stop phishing, which attempts to get people to reveal confidential information, like payroll data or social security numbers, which is about another half of all email phishing.

     

    It does not stop attacks against vulnerabilities in software and firmware, which according to Google Mandiant is responsible for 33% of successful compromises. MFA does not stop any other type of malicious hacking attack, except attacks that look for or ask for passwords. And that is not bad, because that does stop a lot of attacks. It is the reason why everyone should be using PHISHING-RESISTANT MFA. But not all MFA solutions are as resilient against MFA attacks as other solutions.

     

    In general, once an attacker learns that you use MFA and starts to attack it, it is not nearly as protective as before they knew you were using it. It certainly is not effective against 99% of all cyber attacks even when they do not know.

     

    James McQuiggan, one of our security awareness advocates, even had this mock license plate made up as a gift to other KnowBe4 evangelists:

     

    To be clear, we love MFA and think everyone should use it to protect valuable data and systems. But we think all MFA users should use PHISHING-RESISTANT MFA solutions whenever possible. Sometimes you do not have the choice of which MFA to use – your vendor, employer, or app tells you which MFA solution you must use. But if you have a choice of MFA options, try to choose a PHISHING-RESISTANT option.

     

    If you are going to go through all the trouble to switch from passwords to MFA, with all money, people, and effort involved, you might as well go to something PHISHING-RESISTANT, since it is highly more resistant to malicious hacker attacks. You get more bang for your buck.

     

    Phishing-Resistant MFA Content

    From the very beginning back in 2018 with Kevin’s video, we started to develop more related content pushing our PHISHING-RESISTANT message than anyone else. We have tons of MFA educational videos in our training arsenal. Our core annual security awareness training videos drive home the message that most MFA solutions can be easily bypassed using phishing.

    We created a dedicated MFA portal.

    We developed multiple free one-hour webinars that anyone could watch and share, including: https://info.knowbe4.com/register-hacks-that-bypass-mfa and https://info.knowbe4.com/hacking-150-mfa-products.

    We published a free eBook.

    We created a free MFA security assessment tool.

    We gave hundreds of presentations and interviews about MFA and wrote many, many dozens of articles on the subject, including: https://blog.knowbe4.com/do-not-use-easily-phishable-mfa and https://blog.knowbe4.com/u.s.-government-says-to-use-phishing-resistant-mfa.

    We even wrote a Wiley book on the subject, Hacking Multifactor Authentication.

    Early on, we felt like a lone voice yelling into the void, but our non-stop education, constant outreach to multiple cybersecurity organizations, and the fact that easily phishable MFA is constantly being bypassed in hacker attacks (example here), makes PHISHING-RESISTANT MFA an easier and more popular recommendation the last few years.

    Today, nearly all cybersecurity organizations, including the U.S. government, NIST, CISA, Microsoft, and Google, routinely tout the benefits of PHISHING-RESISTANT MFA.

    Where We Slightly Differ

    Many organizations and companies simply ask people to use MFA or to use “any MFA”. We think every organization and person should be using and promoting PHISHING-RESISTANT MFA whenever they can to protect valuable data and systems. And while, yes, you should use “any MFA”, over passwords, we believe the primary message should be to use PHISHING-RESISTANT MFA. We cannot wait for the less secure, phishable forms of MFA to disappear.

    MFA Thought Leadership

    This is not the end. We still continue to push thought leadership around MFA and other topics when we see areas of improvement. For example, we were the first to speak out about how one-time-password forms of MFA that were implementing “number matching” did not stop phishing attacks against MFA. We spoke out about the phishing problems with Pushed-based MFA and how to mitigate those risks.

    Here is another thought-provoking idea you probably will not read anywhere else: PHISHING-RESISTANT MFA is still phishable. Yep. You can read about it here and here.

    We even discuss what you should do if you are forced to use an easily phishable-form of MFA.

    We are glad that most people now know to use and recommend PHISHING-RESISTANT MFA. It has always been the right thing to do. Maybe one day, using any available MFA will automatically mean using PHISHING-RESISTANT MFA, because it will be the only stuff out there. Until then, buyer and user beware.

    Just know that KnowBe4 will always be your strongest advocate and partner for reducing human risk. We will always tell you the truth.

     

    Return To KnowBe4 Security Blog

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    PST ResultsHere's how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry

    Go Phishing Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/phishing-security-test-offer

    Topics: Phishing, MFA

    Roger Grimes

    ABOUT ROGER GRIMES

    Roger A. Grimes is Data-Driven Defense Evangelist at KnowBe4. He is a 30-year computer security professional, author of 13 books and over 1,200 national magazine articles. He frequently consults with international organizations of all sizes and many of the world’s militaries. Grimes regularly presents at national computer security conferences, and is known for his often contrarian, fact-filled viewpoints.

    Read more from Roger »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews