The US Government Now Wants Phishing Resistant MFA
One year ago, the United States government issued a new mandate. The goal was to transition key government digital infrastructure to “Phishing Resistant MFA” systems by 2024. Phishing is where cyber-criminals use deceptive techniques or even digital spy/surveillance technology to steal the login credentials required to access an account. The traditional password system has always been especially vulnerable to this, as a single password grant total access.
How Passwords Are Stolen
The most common techniques for stealing access are:
Phishing
This usually entails a deceptive email impersonating an individual or organization of authority that requires a credential check-in, usually at a fake website.
Push Bombing
The practice of sending multiple notifications to a person’s device, hoping that fatigue will eventually cause them to erroneously accept a notification and inadvertently grant access to a device.
SS7 Protocol Vulnerabilities
The cellular communication infrastructure has certain vulnerabilities that allow for outside surveillance. More sophisticated cybercriminals can spy on these lines of communication to read messages sent via text/SMS.
SIM Swap
A more specialized form of phishing, this technique impersonates the victim, going to the service provider and deceiving them into surrendering more access to an account to the person posing as the identity that they wish to steal. Here, the victim doesn’t provide access; the victim’s service provider does.
How MFA Helps
Phishing-resistant multifactor authentication, or MFA, throws up barriers that make these established practices nearly impossible to execute. The multifactor nature of this authentication means more than one component is required for verification and access. This means that even if a password is still being used, should it be stolen, other components, such as biometrics, or a physical passkey, prevent the password alone from being enough to grant access.
The Fast Identity Online Association, or FIDO, has worked with the Cybersecurity & Infrastructure Security Agency, or CISA, to create standard phishing-resistant MFA technology that works across different forms of hardware and software. FIDO/WebAuthn authentication and public key infrastructure, like passkeys, mean that even surveillance techniques like SS7 can’t yield complete success for thieves because the required usage of a passkey on a specific device or biometrics, such as a thumbprint, prevents remote access.
This provides government workers the security they need to protect data while still providing the flexibility to securely access that data, onsite or at any location, with their personal devices.
If you’re interested in improving your cybersecurity, you can learn more here about Nok Nok’s multifactor authentication technology and passwordless security measures.