You would be hard-pressed to find an author and organization (KnowBe4) that has pushed the use of phishing-resistant multi-factor authentication (MFA) harder.When the world was touting “MFA,” we were shouting “PHISHING-RESISTANT MFA” even louder, including here:
Today, many of the world’s leading cybersecurity voices, including CISA, Microsoft and Google are pushing phishing-resistant MFA. Here is CISA’s take on it.
We are delighted that much of the world understands the importance of using phishing-resistant MFA and not just any MFA solution.
Unfortunately, there is a large percentage of the cybersecurity world that has come to believe that using phishing-resistant MFA will stop all phishing. It will not. And overestimating the efficacy of a cybersecurity defense can be as dangerous as not promoting it. Cybersecurity defenders need to understand what phishing-resistant MFA will prevent and what it will not.
What is Phishing-Resistant MFA?
In short, phishing-resistant MFA is any MFA solution that resists man-in-the-middle (MitM) attacks and other types of common social engineering attacks. By far, the most common type of MFA phishing attack involves tricking the victim into connecting with a fake, MitM, proxy website before they get connected to the legitimate website they intended to go to. History has shown that it is not hard to trick a person into connecting to a malicious website.
All it takes is a phishing email that looks legitimate enough and is asking them to click on a button or to verify some sort of normal-sounding information. Then, when the user is asked to input an MFA code (usually a six-digit code lasting for 30-60 seconds), the hacker’s MitM website can capture it, disconnect the user, and reuse the captured code to log into the real website themselves.
Kevin Mitnick, KnowBe4’s former Chief Hacking Officer (unfortunately, Kevin passed away last July), has a great video demonstration showing a MitM attack against MFA.
Another common type of phishable-MFA is push-based MFA where the user is prompted to separately and additionally approve any login using their login ID on a push-based MFA-protected site or service. The user will usually be shown a prompt, on their cell phone or separate app, along with relevant login information, like their physical location, browser, operating system version, and time. The user can either approve or deny the current login.
The user should reject any login that they themselves did not initiate, but for many reasons, they may approve a login they did not themselves initiate. A common reason is because a social engineering hacker calls or messages them pretending to be from their organization’s IT department, who then tells them they need to approve the login in order for a software update to be completed.
Or the hacker sends dozens of login prompts (called push prompt bombing or fatigue-bombing) until the user relents and approves one (to make them stop). Either way, a fair amount of end users will approve login prompts that they should not.
Examples of Easy Phishable MFA
These types of MFA solutions are considered easily phishable unless they have some offsetting mitigation to prevent their social engineering:
- One-Time Password (OTP) MFA, such as Google Authenticator and Microsoft Authenticator
- SMS-based MFA
- Push-based MFA
Examples of Phishing-Resistant MFA
These types of MFA solutions are considered phishing-resistant:
- FIDO/FIDO2-based MFA
- FIDO Passkeys (when used multifactor)
- NIST 800-63-B AAL3-Level Solutions
- Channel-binding solutions
A complete list of phishing-resistant MFA can be found here.
Unfortunately, there are far more phishing-susceptible than phishing-resistant options.
What Will Phishing-Resistant MFA Prevent?
Currently, about half of all phishing involves trying to trick someone out of their password. There is no collected stat about that fact, but if I had my best guess, that is what I would guess. If you are using MFA and there is no password used along with the MFA logon, phishing messages trying to steal your password will not work.
That is great. Besides aggressive end-user education, I cannot think of a single other cybersecurity control that will decrease otherwise successful phishing as much. It is why you and everyone else should be using (phishing-resistant) MFA to protect valuable data and systems.
As MFA becomes more common, hackers and malware writers are changing their tactics to consider how to compromise MFA. Hackers routinely target and bypass users of MFA. Phishing kits now routinely target and bypass phishing-susceptible MFA. And it is for this reason that we, and others, encourage you to use phishing-resistant MFA whenever you can.
We do not always get to choose what MFA method we use. For example, my bank sends me SMS-based message codes all the time to confirm transactions. Even though I know that SMS-based is weak MFA, it’s what I’m forced to use if I want to do business with that bank. But if you have a choice, choose phishing-resistant MFA over phishing-susceptible MFA whenever you can.
What Does Phishing-Resistant MFA Not Stop?
If half of phishing attempts are to get a victim to reveal their password, it means half of phishing attacks will not be prevented by MFA. A lot of phishing is involved in getting the user to download malicious content, perform a harmful action, such as to pay a fake invoice, or to reveal sensitive information (such as a SSN or contract information). MFA stops some authentication attacks. It does not stop any attack that does not involve authentication. If I, as a malicious hacker, can trick an MFA user into running my malware program, it is game over; MFA or not.
MFA Does Not Stop Attacks Against Unpatched Software or Firmware
Historically, unpatched software and firmware has been involved in about 20% to 40% of successful breaches. These days, Mandiant says unpatched software and firmware is involved in 33% of attacks. MFA will not stop any of those attacks.
Phishing-Resistant MFA Does Not Mean Unphishable
Being resistant to something does not mean impermeable. A water-resistant watch cannot be taken down 100 meters undersea and expected to survive. You will need a waterproof watch, along with the vendor’s attestation how far under the water the watch is guaranteed. In the same way, a phishing-resistant MFA solution can prevent some of the most popular types of social engineering and phishing, but no MFA solution can prevent all social engineering. There are dozens of ways any MFA solution, EVEN PHISHING-RESISTANT MFA solutions can be phished. Here is a list of some of those ways.
Here is an example. Any site or service can ask for the user to use a particular form of MFA and then fake the entire experience. The site or service can present prompts, take input, and then move on as if the MFA solution was successfully used, even though it was never legitimately involved. The site just fakes the entire experience. The user, thinking the authentication worked as designed, now has no idea they are not on their real website or service, and are far more susceptible to additional requests for confidential information (such as credit card verification).
Or I can claim to be your MFA vendor and send you a “new”, replacement MFA that is really just a compromised device. See here for an example of that attack. Phishing-resistant MFA does not stop callback phishing, QR code phishing, social media scams, instant messaging phishing, voice calls, alternate recovery tricks, or romance scams. Anything can be hacked. Anything can be socially engineered.
Phishing-resistant MFA is just less susceptible to some very common types of MFA social engineering. It is not impervious.
We are big believers in phishing-resistant MFA. We think anyone using phishing-susceptible MFA should consider moving to a more phishing-resistant form. It only makes sense. The whole reason you are moving from passwords to MFA is to prevent a hacker from stealing your password and reusing it. Why not get more anti-phishing protection by moving to a phishing-resistant form of MFA?
Just do not think that using any MFA, even phishing-resistant MFA, means you do not have to worry about phishing. Social engineering and phishing come in many different forms and they are likely to be around either until the Internet is significantly improved, security-wise, if not forever. We did not get rid of all crime just because we have millions of people involved in law enforcement. Social engineering and all crime are as old as humanity itself. And no one solution is going to fix it.
Promote phishing-resistant MFA as loudly and as much as you can. Everyone should be using it to protect valuable data and information. Just do not think that using MFA, even phishing-resistant MFA, means we can think that all our phishing risks are eliminated. Nothing could be further from the truth.