Phishing has long been a chief attack vector for bad actors to gain access to networks and applications. And despite widespread publicity around the “evils of phishing,” it remains a problem that keeps CISOs and their security teams up at night.
So how do organizations make it more difficult, or impossible, for bad actors to launch phishing attacks to access passwords and other authentication information? They need to adopt something known as “phishing-resistant authentication.” It’s a strategy that reduces the amount of identity thefts as well as unauthorized access to networks and applications.
Traditional authentication methods, such as passwords or SMS-based two-factor authentication (2FA), often fall short against phishing attacks. Here are some of the barriers that organizations can put between themselves and the phishers to greatly enhance security:
By ensuring that stolen information alone like passwords or SMS codes are not enough for an attacker to gain access to secured resources, any of these approaches makes it much harder for phishers to succeed.
How phishing-resistance becomes critical
Phishing-resistant authentication methods have become critical because of the sophistication of cyber threats and because of evolving industry and government mandates, designed to protect sensitive information and critical infrastructure from phishing attacks. Integrating phishing-resistant authentication helps teams comply with these regulations.
The adoption of these phishing-resistant authentication methods has been further propelled by specific mandates, such as the U.S. Cybersecurity Executive Order that emphasizes the need for federal agencies to adopt secure authentication methods, including MFA and encryption.
Complying with these mandates helps to mitigate phishing and other cybersecurity risks, and also ensures that organizations can avoid potential legal and financial repercussions associated with data breaches and non-compliance.
Practical applications of phishing-resistant authentication
Companies have begun to embrace phishing-resistant authentication. For example, Google requires its employees to use physical security keys for access to its corporate resources. This move significantly reduces the risk of phishing attacks. Banks worldwide have integrated biometric authentication methods, including fingerprint and facial recognition, into their mobile banking apps. It improves user convenience compared to remembering and changing a password, and also aligns with regulatory requirements to secure customer transactions.
In other adoption moves, email encryption services such as ProtonMail use public key cryptography to secure email communications, ensuring that only the sender and intended recipient can read the contents. And, SSL/TLS certificates are widely used on the internet to secure website communications. For instance, financial institutions use certificates to ensure secure connections for online banking services, protecting customer data during transmission.
By adopting such measures, organizations can enhance their security against phishing attacks and ensure compliance with relevant industry and government mandates, a move that represents just the starting point for phishing-resistant authentication. We must now foster a secure and trustworthy digital ecosystem capable of withstanding evolving cyber threats.
Bassam Al-Khalidi, chief innovation officer, Axiad