Phishing attacks are a tool of choice for criminals as they’re easy to conduct and often effective. To prevent such attacks from harvesting your sensitive data, organizations should consider implementing phishing resistant authenticators. These include PIV cards, FIDO authenticators, and Web Authentication APIs that protect authentication events with public-key cryptography or biometric/pin unlocks so no user entered information is exchanged over the internet. While these tools can help secure one aspect of phishing, other measures must be taken to ensure comprehensive protection against all attack vectors.
Phishing is a type of attack where an imposter attempts to gain sensitive data from victims by impersonating websites, using attacker-in-the-middle techniques, and/or relaying or replaying messages. It can take multiple forms such as spear phishing or whaling which target individuals within organizations or senior executives respectively.
Phishing attacks may come via email, voice call (vishing), text message (smishing) and more.
Phishing attacks have become a popular tool used by criminals and nation states alike to harvest passwords, pins, one-time passcodes, or other sensitive information. This threat is recognized in the Verizon 2022 Data Breach Investigations Report which lists phishing as two of its four “key pathways” for breach prevention.
In response to this risk, the Office of Management and Budget’s Memo 22-09 pushes organizations towards Zero Trust Cybersecurity Principles that prioritize implementation of phishing resistant authenticators.
“These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. The guidelines cover identity proofing and authentication of users (such as employees, contractors, or private individuals) interacting with government information systems over networks. They define technical requirements in each of the areas of identity proofing, registration, authenticators, management processes, authentication protocols, federation, and related assertions.”NIST Draft Revision 4 of SP 800-63: Digital Identity Guidelines, released for comment on December 16, 2022
The Federal Government insists organizations must transition to a “zero trust” approach in order to protect critical systems and data. This strategy focuses on stronger enterprise identity and access controls, including multi-factor authentication (MFA), network encryption of all traffic (including internal) that is authenticated as soon as possible, applications securely available over the internet, data/security teams working together for automated security rules based on protection needs, and external partners scrutinizing agency applications.
This strategy will help reduce uncertainty with implementing EO 14028 by strengthening information security norms throughout the Federal enterprise.
Protect Your Organization
To keep keys from falling into the wrong hands, use phishing resistant authenticators which have built-in measures to detect and prevent disclosure of authentication secrets.
These measures should address potential attack vectors associated with phishing such as interception, imitation/spoofing, malware injection and credential theft.
Authenticators can be used to protect against phishing by establishing protected channels for communication and restricting an authenticator’s use. This may be done through name binding, which restricts its usage to a specific domain, or client authenticated TLS, which limits it to a specific connection.
Phishing resistant authenticators utilize cryptographic measures to protect authentication data from attackers-in-the middle, providing an authenticated protected channel for the exchange of information and digitally signing authentication data.
Phishing resistant authenticators use cryptographic keys for authentication that are unlocked locally (via biometric or PIN) so no user data is shared over the internet, eliminating the need for manual input.
Phishing resistant authenticators and cryptographic controls, such as digitally signed and time-stamped authentication and message data, can help prevent replay attacks.
Phishing resistant authenticators are secure methods of authentication that protect against malicious phishing attempts. Examples of these authenticators include U.S. federal employee Personal Identity Verification (PIV) cards, as well as FIDO paired with W3C’s Web Authentication API which can be found in hardware keys or embedded directly into devices such as phones and laptops.
Organizations should use phishing resistant authenticators for applications that protect sensitive information or users with elevated privileges, and individuals should explore the security settings of their online accounts to see if these tools are available.