How to Become Phish Resistant by Going Passwordless
Phishing attempts have proven a persistent menace for businesses over the years. Bad actors have remained relentless in their pursuit of stealing sensitive data, and their efforts, unfortunately, have largely paid off. In fact, in 2021 the global cost of cybercrime exceeded $6 trillion – a jarring statistic which indicates that cybercriminals show no sign of slowing. Phishing scams have proven the most costly of attacks to businesses large and small.
Many business leaders are still scratching their heads when it considering a solution to the phishing epidemic. Afterall, phishing attacks have recently sparked some significant crises with multiple behemoth companies, including but certainly not limited to, Twitter, Twilio, and Uber.
The solution, however, is not far out of reach. Businesses and individuals alike now have the opportunity to become phish resistant by going passwordless.
What does it mean to be Phish Resistant?
When discussing phish resistance, it is important to recognize what makes businesses vulnerable to phishing attacks. Each time a user inputs credentials (username and password), the possibility for attack increases. Every time a password is typed, a cybercriminal can intercept the transit of these credentials. End-users are unaware that a bad actor is monitoring a network to steal credentials—a problem that commonly occurs with man-in-the-middle attacks. In turn, putting an environment at risk. If a username and password are intercepted, the individual who has stolen your credentials can use the credentials to compromise sensitive data.
Phish resistant technology ensures that credentials cannot be stolen by a bad actor who uses various phishing and social engineering methods, such as man-in-the-middle, spear phishing, whale phishing, etc.
How Does Passwordless Make You Phish Resistant?
Phish resistance and passwordless should be synonymous terms as the goal of passwordless authentication is eliminate the vulnerability that takes place each time credentials are entered. Passwordless techniques like multifactor authentication (MFA), single sign-on (SSO), biometrics, and certificate-based authentication combined can ensure credentials are typed as infrequently as possible.
Phish resistant, passwordless strategies force end users to complete a specific action to authenticate. Since most phishing attacks are executed from sources external to an organization, these attackers do not physically hold trusted devices that prove their identities are authentic so interacting with the device ensures the attempt cannot be executed.
The Microsoft authenticator app and FIDO2 security keys are trusted devices that require that the end user physically interacts with the device to authenticate proving that the user is authentic at the moment of the authentication attempt. The Microsoft authenticator app also adds layers of complexity like entering a number or verifying geo-location to address additional concerns with compromises such as MFA fatigue.
How to Use Passwordless Technology for Phish Resistance
You’ll often hear IT leaders referring to passwordless authentication as a journey – and they’re right. A well-functioning passwordless program is not something that can be easily put in place overnight. That said, there are some basic crucial components that will set you up for phish resistant passwordless success.
Enabling phish resistant multi-factor authentication (MFA) will minimize authentication prompts to dissuade bad actors from launching phish attempts on your users. MFA is the verification step to ensure the person logging in is the person who they claim to be – and is proven to prevent 99% of all malicious attacks. It is a critical aspect of phish resistance—so much so that NIST has mandated that federal agencies the use of strong MFA throughout their enterprises. MFA should be used everywhere, all the time, as a serious precaution.
Deploy the Authenticator App or FIDO2 Keys
The Authenticator app provides an elegant solution that simply presents an option for end-users to accept or decline an access request on their device. For employees without a smartphone or access to the internet a FIDO2 key enables the employee to log-in securely and quickly.
Couple MFA and SSO with machine learning from the authenticator app, and your business will have an intelligent phish resistant system with intelligent interactions – a winning combination.
Rather than being prompted for unique passwords for each application, which can lead to phishing vulnerability, Single Sign-On automatically authenticates the user to trusted applications and resources.
Biometrics leverages a user’s face, voice, or fingerprint to authenticate. Tools like Windows Hello for Business (WHfB) relegate the need to consistently type credentials by leveraging biometric sign-in as a means for end-users to log in to an environment.
Securing Digital Identities from Phishing Attempts
At its core, passwordless technologies exist to secure our digital identities – which carry the sensitive data cyber-criminals desire most. Part of having a strong digital identity environment is to always assume it will be attacked (commonly referred to as a Zero Trust Architecture) and limit the blast radius if an intruder does somehow penetrate your environment. The ultimate goal is to prevent lateral traversal, which occurs when credentials are compromised and then used to elevate permissions and collect sensitive data on under-protected assets.
As phishing-induced breaches continue to increase, it is important to act now to protect your digital identities and business. Passwordless technology is the best line of defense when it comes to keeping these bad actors out of your environment. Securing your data by going passwordless will help your business to avoid the massive costs associated with a data breach and the PR nightmares that typically accompany an incident. If you aren’t on board with a passwordless strategy yet, now is likely the time to take the plunge.
Contact us to learn more about Digital identity
Demetrius Cooper is Moblie Mentor’s Digital Identity lead. He has over 11 years of industry experience with a predominant focus on digital identity. A Chicago native, Demetrius lives and works in Atlanta, GA.