Part II: A Practical Path to Passwordless Phishing Resistant MFA

John Kimberly | December 7, 2022

Who would have thought that in 2022 some of the world’s most devastating cyberattacks would still start with phishing? In Part I of this series, we looked at how rising pressure from attackers, regulators, and cyber insurance premiums led to goals of rolling out phishing-resistant authentication as early as 2024 and how that goal became synonymous with a passwordless approach to MFA.

In Part II, we’ll look deeper at what that means for workforce environments.

A Practical Path to Passwordless Phishing Resistant MFA

To summarize: phishing remains popular among threat actors because it still works. All adversaries need is one user at a company to let one secret slip out—a username/password combination, account number, or customer information—and sadly, we still see that a lot.

Passwordless MFA stops breaches by doing away with users’ passwords and effectively taking phishing out of the sea. Adopting such an approach makes complete sense, but it is a journey that raises tough questions and a few red flags. For starters:

What does phishing-resistant MFA even mean?

Does “phishing resistant” mean more resistant authentication that makes it harder to phish or MFA that’s inexorably, relentlessly, and eternally unphishable? Absolute unphishability sounds much better, and that seems to be the intent of government mandates, as well as the promise of passwordless vendor marketing.

Is this vision realistic? For argument’s sake, let’s say yes, it is. It is achievable today by outfitting users with specialized authenticators (e.g. FIDO2 keys). The problem is: hardware tokens and authentication apps carry steep overhead costs to buy, distribute, and manage.

These are important considerations but relatively simple problems to solve. The real challenge is getting authentication to work with the infrastructure and the apps that drive the business. Developing a realistic adoption plan raises another slew of questions about when, where, and how we get there:

  • Should all workforce applications be phishing-resistant by 2024?
  • If “Passwordless MFA Everywhere” is a long journey, which users and applications should go first?
  • What options exist for replacing passwords? How much time, effort, and funding should you expect to invest in each?
  • What is the fastest, most practical approach?

The answers to these questions depend partly on your company’s priorities, realities, and expectations. Below we’ll take a quick look at each.

Should all workforce applications feature passwordless MFA by 2024?

In the U.S., the Office of Management & Budget (OMB) memorandum 22-09 on building Zero-Trust authentication reads:

  • MFA must be enforced at the application layer instead of the network layer
  • For agency staff, contractors, and partners, phishing-resistant MFA is required
  • For public users, phishing-resistant MFA must be an option
  • Password policies must not require the use of special characters or regular rotation

The memo doesn’t use the word, but passwordless has gained widespread consensus as the “desired state” for both authentication and phishing resistance, particularly in the workforce. And while no one expects it all to happen by FY24, the path you choose dramatically impacts your rate of progress.

“We’re not part of the government, so why does this matter to us?”

The concepts outlined by regulators are creating a rippling effect across the commercial industries since:

  • NIST 800-171 will likely expand phishing-resistant elements like the MFA requirement 3.5.3 (use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts) to businesses that make up the government supply chain
  • Cyber insurance actuaries see the same phishing threat
  • No one wants to get popped by a phish that leads to ransomware!

If passwordless MFA can’t happen all at once, which applications should go first?

This one’s a trick question. The seemingly obvious answer is “cloud” because that seems easiest, and that’s where most vendors have started. But the real answer is:

All applications need to be phishing-resistant, or you’re not really phishing resistant

How much safer are you if 25% of your apps still require users to set and forget passwords over and over? To make phishing more trouble than it’s worth, all applications should adopt passwordless MFA as quickly as possible—a tall order since even cloud-first companies maintain a significant percentage of password-centric infrastructure and applications.

For example, many attacks target critical infrastructure providers—energy and utility companies, government agencies, universities, and hospitals—that maintain decades-old custom applications and critical services on-prem. The very entities’ new regulatory mandates aim to make it safer.

The guidance remains unclear as to whether we get to check the box on phishing resistance after migrating some apps and remote users or all apps and users to phishing-resistant MFA. Yet, experts agree that the faster we get users out of the password management business, the safer and happier regulators, insurance companies, IT, and users themselves will be.

What viable options exist for eliminating passwords? What do they entail?

Here, things get a bit nuanced. In a recent overview, the Cybersecurity & Infrastructure Security Agency (CISA) lists as options for phishing-resistant MFA:

  • Fast Identity Online (FIDO)/WebAuthn authentication
  • Public Key Infrastructure (PKI)-based (e.g., smart card, PIV, CAC)

CISA calls FIDO, “the only widely available phishing-resistant authentication.” Developed by the FIDO Alliance and published by the World Wide Web Consortium (W3C), the WebAuthn protocol specified within the FIDO2 standard found rapid traction among leading browsers, mobile devices, and OSs. Instead of, or along with passwords, WebAuthn uses physical tokens, biometrics, or PINs to complete authentication.

PKI, also called X.509 certificates, uses a pair of public and private passkeys to pin devices for purposes of authentication. To date, aside from being built into $100 smart cards with embedded signed certificates (used mainly within the government), client-side X.509 PKI has yet to be widely adopted.

Why? Because it’s hard and requires a significant retooling of both apps and directory infrastructures. CISA observes:

Successfully deploying PKI-based MFA requires highly mature identity management practices. It is also not as widely supported by commonly used services and infrastructure, especially in the absence of SSO technologies.  

In practice, “highly mature identity management practices” translates into being able to mount Herculean efforts to lift, shift, and rearchitect directories, servers, and custom or legacy applications.

Emerging approaches such as Windows Hello for Business require keeping your current directory infrastructure but having to change all your directories to PKI—a feat that proves much more formidable than the popular narrative makes it sound.

Applications that use passwords to talk to directories may need recoding to start talking PKI, a big lift at best

Leading providers of FIDO2 and PKI-based solutions acknowledge that recoding an environment filled with custom and legacy applications is a journey, not a sprint.

Can you say, “Hello, risk?”

So, while experts all maintain—and SDO agrees—that the future of authentication is passwordless MFA based on PKI, it’s important to realize that

PKI won’t stop phishing right now because PKI can’t go everywhere right now

Or next year, or the year after that. Perhaps you’ve also heard horror stories of it taking IT a full year to migrate the first application to PKI-based authentication. Now imagine going application by application, rearchitecting your directories to look for something other than passwords.

The reality? IT leaders need to choose which is more valuable today: phishing-resistant passwordless, or PKI. If we accept that being passwordless across all workforce applications will do more to stop phishing, the obvious question becomes:

Is there a practical way to do passwordless now and a PKI infrastructure at IT’s discretion?

Spoiler alert: the answer is yes. A more practical approach would:

  • Deliver passwordless MFA login in today’s password-centric world
  • Create full phishing resistance by taking passwords out of the user authentication process and password management out of users’ hands—with no app left behind
  • Disrupt modern man-in-the-middle (MITM) attacks
  • Expand IT control
  • Support FIDO2 and passwordless MFA right now with a clear path to PKI infrastructure when it matures (i.e., define a pathway for enterprises to be FIDO everywhere)

With these criteria in mind, Secret Double Octopus (SDO) just added a suite of phishing-resistance capabilities to the Octopus authentication platform. SDO decouples user-side authentication from backend infrastructure management. This lets IT extend a passwordless authentication experience to all workforce users without massive recoding of applications and directories.

Users and IT alike benefit from a real-world, go-at-your-own-pace path to adopting PKI. SDO uses FIDO and desktop-to-app signed pinning to enable phishing-resistant passwordless MFA today, with password directories or FIDO servers on the back end.

Phishing Resistance

SDO’s real-world phishing resistance: The benefits of a FIDO2 and signed token pinning approach that works with password directories today

Along with FIDO2 key pairing, SDO’s new phishing-resistant enhancements include desktop-to-app pinning and other MFA resilience capabilities that stymie adversaries and alert IT to indicators of phishing attacks underway. 

SDO supports FIDO2 and uses the same principles of pinning user devices to workforce resources to extend phishing-resistant MFA to web and corporate applications today.

How pinning works

FIDO2 works by pre-registering user devices with specific websites. MITM Phishing fails because, no matter what information users inadvertently let slip, including the public key, the hacker’s device can’t verify the PKI challenge initiated without the private key. The private key needed by the site to verify identity (or at least possession of the right device) never leaves the FIDO2 vault. 

SDO’s new desktop-to-application pinning capability extends the same phishing-resistant pinning to enterprise environments that are not provisioned with FIDO2 keys and servers.  Now businesses that operate password-centric identity directory infrastructures can pin users’ workstations to their individual SSO portals while blocking MITM access to web application resources and corporate applications.

Phishing resistance derives from pre-pinning user devices or identities to destination sites or applications, not from the specific mechanism used to achieve the trusted state

The bottom line: there are no credentials to phish, or rather, no phish in the sea.

Secret Double Octopus Phishing-resistant MFA

Change is hard. SDO Passwordless MFA is easy.

Because the platform decouples users and backend infrastructure, Octopus can extend phishing-resistant passwordless MFA to any application today with full support for FIDO2 and a practical path to a PKI infrastructure. The approach achieves all the purported benefits of passwordless authentication—reduced risk, cost, MFA fatigue, and Help Desk calls—and includes a secure built-in fallback mechanism (passwords controlled by IT).

Our approach delivers the fastest, broadest evolution toward phishing-resistant MFA—no passwords with no change required to the back-end infrastructure.

Read the press release and arrange a demo today to learn more.