Passwords are ingrained in enterprises with traditional identity lifecycle stages, which exposes them to increasingly sophisticated cyber attacks that rely on stolen login credentials for success like phishing. Phishing is one of the greatest cybersecurity risks that enterprises face – in fact, stolen passwords are one of the largest threat vectors compromising online security today with over 80% of all security breaches resulting from stolen login credentials. Further driven by an uptick in the use of AI-driven cyber attacks, enterprises are facing persistent threats from phishing attacks which specifically target the registration, authentication, and recovery processes of employees.
Despite organizations aiming to improve their cyber defense by implementing multi-factor authentication (MFA), phishing remains a significant challenge – requiring a more proactive cybersecurity approach. While any form of MFA is better than a password, not all forms of MFA are created equal. Legacy MFA approaches, such as SMS and mobile authenticator apps, are broken and have been proven repeatedly to be easily bypassed by malicious actors and also causes user MFA fatigue due to the recurring instances of the user having to make authentication decisions and typing in ever changing codes.
Phishing-resistant MFA is the latest authentication method that many organizations are looking to implement because it is proven to prevent phishing attacks every time and also reduces the burden on users to make the right choices and not hand over their credentials during a phishing attempt. In fact, important government mandates have come in place for government agencies and private sector organizations to harden cybersecurity with phishing-resistant MFA. Phishing-resistant MFA solutions like the YubiKey mitigate attackers intercepting or tricking users into revealing access information by requiring each party provide evidence of their identity, as well as communicate their intention to initiate authentication via deliberate action.
The prevalence of phishing attacks in the enterprise via tactics like social engineering calls to the helpdesk (among many other methods) can not only hijack the user registration process, but also ongoing authentication and account recovery processes in the event of a lost or stolen device. With recent advancements in passwordless – and new on-device authentication solutions – the way an organization can establish and manage a user’s identity credential throughout its lifecycle has evolved to address these increasing challenges. In order to truly prevent phishing attacks, organizations must do more than just invest in phishing-resistant authentication – they must instead focus on developing phishing-resistant users.
What delivering phishing-resistant users looks like in practice
Phishing-resistant users is not just a reactive measure, but a proactive enterprise strategy aimed at removing the risk of phishing by eliminating all phishable events from the entire user lifecycle. The primary security control for enterprises has traditionally been to prevent phishing at the time of authentication. However, as enterprises are now rolling out phishing-resistant authentication, user accounts have entered a hybrid state with both phishable and phishing-resistant credential types available.
This requires enterprises to elevate the processes for issuing credentials, registering devices, and signing into passkey providers to meet the same bar as the authentication controls that have been in place. For point-in-time authentication policies to be effective, enterprises must ensure that the users have the right type of authenticators, credentials, and processes for every stage of the account lifecycle.
Given that users often move across platforms (i.e. Apple, Google, Microsoft), devices (smartphones, laptops, tablets) and between personal and corporate apps and services in the course of their day, many conventional authentication techniques are inherently phishable. And organizations often temporarily default to phishable user registration, and account recovery methods when a user is first being on-boarded or when their device is lost or stolen, creating convenient points in time for a phishing attack to take hold. This piecemeal approach to authentication exacerbates the challenge for enterprises in consistently safeguarding their systems and data, and even staying in compliance.
Traditional security measures like phishable MFA (i.e. SMS, push notifications and one-time passcodes) and heavy reliance on user education are insufficient against sophisticated phishing tactics, highlighting the need for stronger defenses and a new mindset and approach around building a phishing-resistant enterprise. This is why enterprises need to instead think of equipping their users with the type of authentication that offers phishing-resistance no matter which business scenario they are engaged in or platforms or devices they are using.
The only effective approach to removing phishing from an organization’s threat landscape is to ensure that every user and process within the organization becomes phishing-resistant. Secure authentication that moves with users across all devices, platforms, and services no matter how they work is not a luxury, but a necessity in today’s fast-moving digital landscape. Phishing-resistance in registration, authentication, and recovery processes are mandatory for cultivating phishing-resistant users, and it all starts and ends with deploying the highest-assurance modern hardware security keys: YubiKeys.
To create phishing-resistant enterprises, organizations must develop phishing-resistant users by implementing the following across all users:
- To achieve maximum security, equip all users with phishing-resistant MFA and deploy purpose-built and portable hardware security keys as the primary authenticator.
- Establish phishing-resistant account registration and user recovery procedures for all, utilizing purpose-built and portable hardware security keys as the foundation for the highest-assurance security.
- Employ technology-driven solutions that minimize the reliance on user education, while also providing essential education on the principles and benefits of phishing-resistant MFA for both corporate and personal use.
By fostering phishing-resistant users, built on the foundation of the highest-assurance hardware security keys for all users across the entire organization, enterprises enhance cybersecurity resilience, minimize reliance on reactive measures, and effectively safeguard sensitive data and operations. The cornerstone of building such resilience lies in fostering a culture of phishing-resistant users, with YubiKeys as the essential starting and ending point.
Stay tuned for our next blog post which will detail how organizations can deploy phishing-resistant user strategies effectively. Check out our recent on-demand webinar to learn more about navigating passkeys to passwordless security at scale and user lifecycle considerations for achieving a successful passwordless rollout at scale.