Your Complete Guide to Multifactor Authentication Methods

There are fifty shades of MFA. Which option is for you?

Online phishing scams are becoming more frequent and more sophisticated. Multi-factor authentication (MFA) is one weapon in the arsenal of cyber-defenders that can be used to prevent phishing attempts.

When asked about phishing attacks, over half (54%) of respondents to the Online Authentication Barometer, a survey published by the non-profit Fast IDentity Online (FIDO) Alliance, said they had seen an increase in suspicious messages and scams.

Meanwhile, 52% believe phishing techniques have become more sophisticated, likely due to threat actors leveraging AI to create phishing schemes and deploy phishing campaigns.

Adopting MFA as an alternative to passwords is being promoted by several cybersecurity agencies as the best way to mitigate this threat.

MFA is one of the recommended cybersecurity measures championed during Cybersecurity Awareness Month.

However, not all MFA methods are created equal, and many can still be hacked. Infosecurity has selected a comprehensive – although not exhaustive – list of MFA methods, from the least to the most secure against phishing attacks.

SMS, email and push-based MFA options, where the user receives a notification message to a secondary location to ‘Approve’ or ‘Deny’ whenever anyone tries to log on, all use one-time-passwords (OTPs).

This very convenient authentication method makes them among the most common MFA methods.

However, they are all vulnerable to basic phishing attacks involving techniques like business email compromise (BEC) or SIM-swapping.

Speaking to Infosecurity, Roger Grimes, a data-driven defence evangelist at cybersecurity awareness company KnowBe4, insisted it easy it is to hack these authentication methods. “It doesn’t take a sophisticated hacker to hack these types of MFA; you just need to follow the steps of current phishing kits,” he warned.

Grimes and other experts in the cybersecurity community are calling organizations that want to switch from password-to-MFA to adopt phishing-resistant MFA options.

Most use FIDO standard protocols based on public key cryptography.

The latest FIDO protocol is FIDO2, jointly developed by the FIDO Alliance and the World Wide Web Consortium (W3C). FIDO Alliance offers a FIDO certification for vendors to verify their FIDO-compliant solutions.

It supports a variety of authentication methods, including:

• Biometrics: Fingerprint scanners, facial recognition, iris scanners, and voice recognition.
• Security keys: Physical devices that plug into a computer or mobile device and can be used to authenticate the user.
• Embedded Secure Elements (eSEs): Secure chips that are built into many smartphones and other devices.
• Trusted Platform Modules (TPMs): Security chips that are built into many computers.

FIDO2-enabled solutions include Yubikeys, AuthN by IDEE, 1Kosmos’ BlockID, SentryCard, Transmit Security's BindID, rfIDEAS, Token Ring and Beyond Identity.

Many MFA providers advertise their products as FIDO2-enabled. However, Grimes warned that, although the FIDO Alliance offers a certification, MFA providers do not legally need it to claim their product is FIDO compatible.

“I’ve noticed many vendors mention their product is ‘FIDO2-enabled’ when it’s clearly not true. I’d suggest anyone who wants to adopt a FIDO2-enabled MFA option to turn to a reputable company,” Grimes argued.

The FIDO Alliance website provides a list of FIDO2-certified solutions. 

Outside of FIDO protocols, passkeys are usually considered to be phishing resistant.

Passkeys are a relatively new implementation of FIDO passwordless authentication, supported and used by many vendors, including Apple, Google, and Microsoft.

The latest Online Authentication Barometer showed that passkeys have grown in consumer awareness, rising from 39% in 2022 to 52% today.

According to Grimes, phishing-resistant MFA options include:

• Any solution that requires that the involved website be pre-registered to the MFA device or vice-versa.
• Any solution that requires that you log in through their required app or portal.
•  Any solution with a "second, independent channel" that is used for the authentication process and uses or transmits the correct, legitimate target website/service URL to the end-user or their MFA solution.
• Any solution with "channel binding," which ensures that any involved second or additional channels involved in the authentication process use the appropriate, authorized URL.

Read more: MFA Bypass: The Next Frontline for Security Pros

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?