Want to stop hackers from using phishing as leverage to get into your IT environment? Start using phishing-resistant multifactor authenticators such as hardware keys and identity verification cards.
That’s the advice of the U.S. National Institute for Standards in Technology (NIST).
“Not every transaction requires phishing resistant-authenticators,” the agency said in a blog last week. “However, for applications that protect sensitive information (such as health information or confidential client data), or for users that have elevated privileges (such as admins or security personnel) organizations should be enforcing, or at least offering, phishing-resistant authenticators.”
These tools are often easier, faster, and more convenient than the multifactor authentication procedures – such as text-based SMS codes – that employees may currently be using, the agency added.
What’s a phishing-resistant authenticator? Anything that doesn’t let an attacker use phishing to get an authenticator — like an MFA code — that goes along with users’ credentials for accessing IT systems or facilities.
That’s because threat actors are increasingly finding ways to trick employees into accidentally giving up their codes. One trick is getting victims to unwittingly install malware allowing a man-in-the-middle attack to steal the authentication code. The attacker pretends in an email to be an IT staffer with a password verification app the employee has to download. An important part of the scheme is creating a web page that looks like it was created by the employer where the app is to be downloaded. The app intercepts the employee’s username, password and authenticator code.
One of the most common examples of a phishing-resistant authenticator is the Personal Identity Verification (PIV) card used by government employees and contractors. The card has a user’s photo and biometric information like a fingerprint that are protected with public-key cryptography. Insert the card in a reader and access is granted.
Commercial examples of phishing-resistant authenticators are USB, Bluetooth or NFC-based hardware keys like the YubiKey, Google Titan key and others for multi-factor authentication. These use the FIDO Alliance U2F Open authentication standard. As a physical key, there is nothing an attacker can intercept. The user inserts the key into a USB slot on the registered device (or the device is wirelessly recognized) and then presses a button on the key — or use the included fingerprint reader — for authentication.
Any phishing-resistant authenticators must address these attack vectors associated with phishing, says NIST:
- Impersonated websites – Phishing-resistant authenticators prevent the use of authenticators at illegitimate websites (known as verifiers) through multiple cryptographic measures. This is achieved through the establishment of authenticated protected channels for communications and methods to restrict the context of an authenticator’s use. For example, this may be achieved through name binding – where an authenticator is only valid for a specific domain (I can only use this for one website). It may also be achieved through binding to a communication channel – such as in client authenticated TLS (I can only use this over a specific connection).
- Attacker-in-the Middle – Phishing-resistant authenticators prevent an attacker-in-the-middle from capturing authentication data from the user and relaying it to the relying website. This is achieved through cryptographic measures, such as leveraging an authenticated protected channel for the exchange of information and digitally signing authentication data and messages.
- User Entry – Phishing-resistant authenticators eliminate the need for a user to type or manually input authentication data over the internet. This is achieved through the use of cryptographic keys for authentication that are unlocked locally through a biometric or PIN. No user-entered information is exchanged between the relying website and the authenticator itself.
- Replay – Phishing-resistant authenticators prevent attackers from using captured authentication data at a later point in time. Supporting cryptographic controls for restricting context and preventing attacker-in-the-middle scenarios also prevent replay attacks, particularly digitally signed and time-stamped authentication and message data.
Phishing-resistant authenticators are a critical tool in personal and enterprise security that should be embraced, says NIST. “They are not,” the blog adds, “a silver bullet. Phishing-resistant authenticators only address one focus of phishing attacks – the compromise and re-use of authenticators such as passwords and one-time passcodes. They do not mitigate phishing attempts that may have alternative goals such as installing malware or compromising personal information to be used elsewhere.
“Phishing resistant authenticators should be paired with a comprehensive phishing prevention program that includes user awareness and training, email protection controls, data loss prevention tools, and network security capabilities.”