Part I: Passwordless Adds Phishing Resistance,But How You Get There Matters

John Kimberly | November 20, 2022

By now, we all know the story:

A pandemic sends the world home, driving IT to digitalize now and fine-tune security later. Before later gets here, a rash of the third-party, supply chain, and ransomware attacks torpedo businesses left and right, along with a massive resurgence of hackers’ all-time favorite ploy—phishing—levied against the workforce.

The phishing resurgence proves what we suspected all along: that for all the investment in cybersecurity, bad guys still wreak havoc by tricking users into giving up secrets. This non-revelation inspires new products, best practices, and, last but not least, new regulations for Zero Trust and phishing-resistance strategies.

So now, as we unpack the Office of Management and Budget memorandum 22-09 from the Biden administration, we encounter a mandate for “phishing-resistant” multi-factor authentication (MFA) by 2024 that raises a bunch of good questions.

Why is the core focus on MFA?

This one’s easy: Phishing and authentication are inextricably linked because what typically gets phished are users’ log-in credentials, “something they know” that can be leveraged to access a website, database, or application. Even as employees get better at spotting fake emails and spurious sign-in pages, a perennial harsh truth applies: IT needs to defend everything while bad guys need only one trusting user to give up one secret password and it’s “game on.”

Innovations to date have not solved this problem. First IT raised the stakes by adding a second step, often a text message or email with one-time passcodes (OTPs) sent to mobile phones. Then two-factor authentication evolved into multi-factor as we added other approaches, like biometrics (something you are) and security keys (something you have), to the mix.

MFA caused users to spend up to 5% of their time logging into things in 2021 yet credentials still factored into 80% of breaches. Successful phishing attacks continue to rise year over year (YoY), and too many Help Desks calls still revolve around resetting passwords.

MFA also remains vulnerable to elaborate duplicitous “man in the middle” (MITM) attacks in which adversaries trick users into entering keys and OTPs into fake log-in pages so they can turn around and use them to access the real sites. So, for all the friction it causes with users, we can safely conclude that traditional MFA does not make us phishing-resistant.

Why? Because traditional MFA still contains passwords—secrets that get phished—and most passwords get managed by users.

Let’s break it down . . .

The Need for Passwordless MFA

The phishing-resistant MFA conversation now centers around passwordless authentication because eliminating passwords from users’ authentication process effectively removes the target. According to research conducted by SDO and others, Passwordless MFA MFA:

  • Takes “what users know” out of the authentication equation and let’s identity and access management (IAM) focus on making sure the people are who they say they are
  • Eliminates MFA fatigue
  • Saves companies up to $2M per year on Help Desk calls and lost productivity, and perhaps most important
  • Stops feeding the phish

Try the Passwordless MFA ROI calculator and gain insights

Passwordless MFA delivers the rare ROI trifecta—less risk, less cost, fewer headaches—if you do it the right way. Which begs even more challenging questions:

  • How do we define “passwordless” authentication?
  • When, where, and how should it be implemented?
  • Should we replace passwords with something else to maintain multi-factor while getting rid of the secrets?
  • Do we need to be passwordless everywhere—because it only takes one user giving up one primo password to usher in havoc—to call ourselves “phishing-resistant”?

This last question looms largest because “Everywhere” means everywhere —on prem, in the cloud, for every application, and every use case. If we say yes to everywhere, we then must ask:

Can we really get rid of passwords?

The short answer is: yes, and no. Ultimately, the industry will evolve into Passwordless MFA Everywhere. But even most Passwordless MFA vendors don’t see “ultimately” arriving anytime soon. So, where does that leave us in terms of complying with evolving Zero-Trust compliance mandates?

We need to be realistic. For many enterprises in many industries (including critical infrastructure, healthcare, and finance), most corporate infrastructures and applications remain password-centric. They can’t all be dramatically retooled by 2024.

So, while the ultimate goal is for government agencies and other organizations to be both passwordless and phishing-resistant, how we approach passwordless directly impacts when we can check the box on “phishing resistant.” Even in cloud-first organizations, some percentage of applications will probably require passwords for up to ten years. And for others, it’s much higher.

But, practically speaking, if we can eliminate passwords completely from the user experience, we satisfy the intent of Zero Trust strategies for becoming phishing-resistant. And as it turns out, we can do that pretty fast—like today—while embracing the industry’s vision for making Passwordless MFA a reality.

All that needs to happen is the transfer of password management from users to IT.

How to give IT control?

As typically happens with compliance conversations, a working definition of phishing-resistant MFA has emerged. The Cybersecurity & Infrastructure Security Agency (CISA) defines it as:

  • FIDO/WebAuthn authentication
  • Public key infrastructure (PKI)-based

Both methods take the responsibility of password management away from users, but neither can they do it for every application right away. That means you still have passwords.

And as we said earlier, implementing these methods, PKI in particular, requires sweeping changes to your IT infrastructure (which means you have chaos). Right now, updating user authentication to PKI technologies like certificates, Windows Hello for Business, and FIDO can take months, even years, and still leave gaps in enterprise workflows, like desktops, critical apps, and remote access.

This won’t always be true, but it will still be true in 2024. So, while supporting FIDO2 Secret Double Octopus has defined a practical path to Passwordless MFA that keeps IT in control. The subject of an upcoming webinar, this approach decouples making the user experience passwordless from rearchitecting the IT infrastructure (for as long as IT wants).

Change is hard. Octopus is easy

In Part II of this series, we’ll take a closer look at next-generation Passwordless MFA that includes standards-based security hardware keys and smartphone biometrics-based MFA. We’ll explore implementing phishing-resistant MFA with FIDO2 and password-centric identity-proofing environments and outline a reality-driven passwordless journey that lets IT check the “phishing-resistant” box now—and actually stop getting phished—and change the identity infrastructure whenever they’re ready (IT stays in control!).

Watch the full webinar on-demand, 5 Ways Passwordless MFA Stops Modern Phishing and MFA Attacks, to learn more.

Want to chat with one of our passwordless MFA experts about how Double Octopus can help your organization’s needs, schedule a quick call with us today.