Want to prevent hackers from using phishing as leverage to enter your IT environment? Start using phishing-resistant multifactor authenticators like hardware keys and identity verification cards.
That’s the advice from the US National Institute for Standards in Technology (NIST).
“Not every transaction requires phishing resistant authenticator,” the agency said in a blog last week. “However, for applications that protect sensitive information (such as health information or confidential customer data), or for users who have elevated privileges (such as administrators or security personnel) organizations must implement, or at least must offer at least phishing-resistant authenticators.”
The agency said these tools are often easier, faster and more convenient than the multi-factor authentication processes — such as text-based SMS codes — that employees may currently be using.
What is a Phishing-Resistant Authenticator? Anything that doesn’t allow an attacker to use phishing to obtain the authenticator – such as an MFA code – that goes with users’ credentials to access IT systems or facilities.
This is because threat actors are finding ways to trick employees into accidentally giving up their code. One trick is getting victims to unknowingly install malware allowing a man-in-the-middle attack to steal authentication codes. The attacker pretended to be an IT employee in an email that contained a password verification app that the employee had to download. An important part of the plan is to create a web page that looks like it has been created by the employer where the app is to be downloaded. The app intercepts the employee’s username, password, and authenticator code.
One of the most common examples of a phishing-resistant authenticator is Personal Identity Verification (PIV) Card Used by government employees and contractors. The card contains biometric information such as the user’s photo and fingerprint that is protected by public key cryptography. Insert the card into the reader and access is granted.
Business examples of phishing-resistant authenticators are USB, Bluetooth, or NFC-based hardware keys. Yubki, google titan Keys for multi-factor authentication and so on. they use fido Alliance U2F Open Authentication Standard. As a physical key, there is nothing an attacker can intercept. The user inserts the key into a USB slot on the registered device (or the device is wirelessly recognised) and then presses a button on the key – or uses the included fingerprint reader – to authenticate.
NIST states that any phishing-resistant certifier must address these attack vectors associated with phishing:
- cloned websites – Phishing-resistant authenticators prevent the use of authenticators on illegitimate websites (known as verifiers) through a number of cryptographic measures. This is achieved through the establishment of authenticated protected channels for communication and methods for restricting the context of use of the authenticator. For example, this can be achieved through name binding – where a cert is only valid for a specific domain (I can only use it for one website, This can also be achieved by binding to a communication channel – such as TLS authenticated by the client (I can only use it on a specific connection,
- attacker-in-the-middle Phishing-resistant authenticators prevent an attacker-in-the-middle from capturing authentication data from a user and relaying it to a dependent website. This is achieved through cryptographic measures, such as leveraging an authenticated secure channel for information exchange and digitally signing authentication data and messages.
- user entry – Phishing-resistant authenticators eliminate the need for the user to type in or manually input authentication data over the Internet. This is achieved through the use of cryptographic keys for authentication that are unlocked locally via biometrics or PINs. No user-entered information is exchanged between the relying website and the authenticator.
- REPLAY – Phishing-resistant authenticators prevent attackers from using captured authentication data at a later time. Support for cryptographic controls to restrict context and prevent attacker-in-the-middle scenarios also prevents replay attacks, especially on digitally signed and time-stamped authentication and message data.
NIST states that phishing-resistant authentication is an important tool in personal and enterprise security that should be adopted. “They are not,” the blog says, “a silver bullet. Phishing-resistant authenticators only address one focus of phishing attacks—the compromise and reuse of authenticators such as passwords and one-time passcodes. They prevent phishing attempts.” do not minimize those that may have alternative goals such as installing malware or compromising personal information for use elsewhere.
“Phishing resistant certifiers should be combined with a comprehensive phishing prevention program that includes user awareness and training, email security controls, data loss prevention tools, and network security capabilities.”