Let’s take you through a new-age creation story. First came digital data. Then servers and accounts to store, share, and create more data. Along with accounts came usernames and passwords, so that the right people have access to the data. And when the wrong people started to get access to it, we entered the age of social engineering and phishing. Countermeasures had to be implemented, so we created multifactor authentication or MFAs. With that, OTPs became an essential part of daily life. But the bad guys had countermeasures for our countermeasures, and companies like Twilio, Uber, and Reddit became cautionary tales for MFAs being bypassed.
So, now, you may think the next step of the story is to move on from MFAs and create something bigger, bolder, and safer. But thankfully,
“Not all MFAs are created equal.”
Phishing-resistant MFAs incorporate physical tokens and public key cryptography that provide an extremely secure authentication experience for your organization.
An innocuous-looking device like this could prove to be the solution for all your authentication woes:
This blog is not going to get into the nitty-gritty of phishing and phishing-resistant MFAs – you can read all about it here. Instead, this blog is for those who understand the value of this particular MFA and are looking for ways to integrate this technology in their organization.
Because the truth is, it’s not as simple as deciding one day to give everyone in your organization a physical token and saying ‘Cool, from now on, this is the way you’re going to authenticate’. Firstly, there is significant investment involved and secondly, it will require a large culture shift that can only be devoid of teething problems through a methodical rollout.
Here are 4 steps for you to ensure a seamless integration of this technology:
Step 1: Start with your privileged accounts
These include all accounts with more rights than normal users. Like the ability to install or remove software. Upgrade operating systems. Modify system or application configurations. Access files not normally accessible to standard users. Your IT administrators, security teams, helpdesk experts and database administrators all come under this purview. (So do M2M and A2A accounts that automate payments, create daily backups, etc. But, for the sake of this step, we’ll stick to real people.)
It’s important to start with these accounts, simply because this is where attackers do the most damage. If they somehow gain access to a privileged account, the fallout could be catastrophic. They could change system functionality, inject malware, or steal sensitive data for ransom. In fact, a study by Forrester says 80% of data breaches are connected to compromised privileged credentials.
Extra priority should be given to remote privileged users because they operate outside secure enterprise network perimeters and often access corporate resources on unsecured devices. Attackers are acutely aware of this, as evidenced by a 667% increase in phishing attempts during the height of the COVID-19 pandemic.
Phishing-resistant MFAs astronomically reduce chances of this because there are no shared secrets used at any point in the login process. That in itself eliminates the attacker’s ability to intercept and replay access credentials.
Great, so you’ve decided all the employees privileged enough to be part of Phase 1 of your rollout.
Step 2: Create user awareness for this MFA
And we’re not talking about the usual awareness programs corporates have regarding phishing. Sure, you can make them mandatory for employees, but the fact of the matter is, most employees sleepwalk through them.
There is scope to make these more engaging. Some companies do hands-on training, like sending out dummy phishing emails to their employees and seeing how many click the link.
Turns out, the only real user awareness you need to create about phishing-resistant MFAs involves how to register and use these physical tokens. Once that’s done, show them how to incorporate this authentication on sites and services they frequent, like Google, Facebook, Microsoft, and X (formerly Twitter), all of which have provisions for this technology. But most importantly, you need to hammer home the point that they must always keep their passkey with them. Since this is incorporating a completely new process, users that are not tech-savvy need to be handheld throughout the entire induction process.
Everything else regarding security is handled by the ecosystem. Yubico, one of the vendors we work with, owns the entire process of creating their passkeys. They validate their sourced components, build the product, program & certify the keys, and package & ship them, all by themselves.
The user just has to use their passkeys and authenticate.
Step 3: Optimize convenience factor for users
Increasing factors of authentication should not lead to extra effort from users, otherwise they’ll be completely turned off by it. You need authentication that makes users more comfortable while incrementally increasing security.
Thankfully, phishing-resistant MFA ticks all the boxes. In fact, FIDO2 authentication completely eradicates the need for usernames and passwords. It means users can authenticate without being mindful of it, and instead focus their energies on other work. They just need to be present during the authentication process.
An interesting debate comes in the case of a user’s credentials being hacked. Who is liable for this – the user or the company?
Sure, in most cases the user is the initial victim, but it is the company who faces potential loss of value and customers. By enabling authentication through a certified, company-issued passkey, you are putting more of the burden of responsibility on your organization and cutting the risks of user error.
Step 4: Periodic Evaluation & Re-evaluation
This is a practice you should be doing for all your IT security tools, and it’s no different for phishing-resistant MFA. If you’re incorporating this MFA and relevant support tickets don’t go down, it’s safe to say you’re doing something wrong. As we touched upon earlier, this MFA should make it easier, not harder, for users to authenticate.
If this is the case, you should revisit your awareness program and take feedback from your privileged users over where they are getting stuck. Learn lessons from this and create simpler directives from your learnings.
But if the MFA is having the desired effect, you might consider moving on to the next phase of employees. Only when the entire organization is covered will authentication be considered a completely secure experience.
Click here to get started in making your organization phishing-free!