January 8, 2024
Don’t Become Phish Food – the role of MFA
By Fredrik Martinsson
By Fredrik Martinsson
Have you noticed how realistic phishing attempts have become?
Phishing awareness training is now common so we’d all identify the first recorded phishing attempt from the mid-1990s. But, as the digital world has evolved and innovated, so have the attackers. The phishing attempts of today are significantly more complex. This is due to several reasons:
Previously hackers have been limited to email as the only possible communication channel for phishing attempts. Nowadays, hackers can also phish through phones and other personal communication channels. This can enable multi-pronged phishing campaigns to increase urgency.
With company and personal data often one click away, phishing emails can be highly tailored and personalized. Unlike the original phishers, phisher today can easily litter phishing emails with truths, such as your boss’ name or your company’s address/phone number, to make the email more credible.
More recently, hackers have been leveraging AI content generation tools to make phishing more scalable, efficient and credible. A hacker can provide all the required prompts (taken from publicly available data) for a tool like ChatGPT to create a highly convincing email from, for example, an organization’s finance director or CEO. This template can then be adapted for each employee within that organization, and then instantly shared using a mass email sending program.
What is the result of all this?
But don’t worry. Despite the rising threat, many organizations are fighting back, looking to evolve traditional security measures to fortify against the digital threats of today.
Popular phishing-resistant solutions
In recent years, new solutions are working to combat phishing attacks. Most of these solutions include some form of multi-factor authentication (MFA). MFA adds layers of authentication on top of or seeks to replace legacy security measures (passwords/PINs).
Because humans are a key link in the security chain (IBM estimates that 95% of data breach incidents are due to human error), the best authentication solutions seek to minimize or remove user interaction altogether. Two of the most popular anti-phishing solutions on the market today include:
Passkey technology is the closest thing we have to phishing resistance in the current market. Yet, the level of security of passkey varies depending on what solution is supporting it. If passkey is supported by a solution that relies on ‘something you know’, then the same issues experienced with PINs and passwords persist: a lack of security and convenience. Whereas if passkey is supported by ‘something you are / have’, such as a biometrics-enabled smartphone or hardware token, not only are phishing risks reduced, but convenience is also enhanced. In this case, you’d be more secure than ever and you’d never have to remember a PIN or password again.
Something you are
The smartphone, PC, access control and payments industries are already wise to the value offered by ‘something you are’; using each person’s uniqueness to strengthen authentication. Through years of familiarization, via our phones, PCs and laptops, consumers have come to trust and value biometric authentication. 52% of those who use biometrics prefer it over any other authentication method.
This is due to two main factors:
Firstly, biometrics offers more robust security. PINs and passwords are easy to implement, but they are also easily compromised through phishing, data breaches and other social engineering techniques.
By incorporating biometric technology into the authentication process, you become the key. It becomes impossible to share your log-in credentials externally. This drastically limits the potential for human error being the cause of a data breach. In addition, no biometric information is stored in a database, instead the information is stored on the device itself as a template in binary code. Storing a mathematical representation rather than an image makes hacking considerably more challenging.
Secondly, biometrics offers enhanced convenience and a seamless user authentication experience. As the number of connected systems in our lives grows, it is becoming almost impossible to create, remember and manage a growing list of passwords and PINs.
60% of consumers feel that they have too many passwords to remember, with some consumers having in excess of 85 for all their professional and personal accounts. The authentication process with biometrics is simple, safe and secure and you’d never have remember another password again.
In addition, the familiarity and scalability of biometrics cannot be understated. Today it is estimated that 81% of smartphones globally incorporate some form of biometrics. As the market moves towards passkey technology for authentication, most of us will already / will be able to leverage biometrics to support passkey technology.
While innovation is offering more opportunity for organizations to work smarter, it’s also opening the door to sophisticated crime. As phishing continues to rise, while it won’t be eradicated anytime soon, the industry is fighting back with innovative solutions designed to limit human interaction and increase the number of hurdles hackers must jump through to successfully phish.
Overall, it’s vital that, as a bare minimum, we all ensure we have MFA processes in place. PINs and passwords are no longer sufficient to keep phishers at bay. As a guide for best-practice, we should look to incorporate some form of passkey into authentication processes. For those looking to further fortify against phishers, a passkey process that is supported by biometrics is today’s authentication nirvana, ensuring robust security and a seamless user experience.
Learn more about the technology that is underpinning personal and organizational security.