The Importance of Phishing Resistant Authenticators in Protecting Sensitive Data

BIG linden > Insight & Innovation Articles > this article: The Importance of Phishing Resistant Authenticators in Protecting Sensitive Data

The Importance of Phishing Resistant Authenticators in Protecting Sensitive Data

Phishing attacks are a tool of choice for criminals as they’re easy to conduct and often effective. To prevent such attacks from harvesting your sensitive data, organizations should consider implementing phishing resistant authenticators. These include PIV cards, FIDO authenticators, and Web Authentication APIs that protect authentication events with public-key cryptography or biometric/pin unlocks so no user entered information is exchanged over the internet. While these tools can help secure one aspect of phishing, other measures must be taken to ensure comprehensive protection against all attack vectors.

Phishing is a type of attack where an imposter attempts to gain sensitive data from victims by impersonating websites, using attacker-in-the-middle techniques, and/or relaying or replaying messages. It can take multiple forms such as spear phishing or whaling which target individuals within organizations or senior executives respectively.

Phishing attacks may come via email, voice call (vishing), text message (smishing) and more.

Phishing attacks have become a popular tool used by criminals and nation states alike to harvest passwords, pins, one-time passcodes, or other sensitive information. This threat is recognized in the Verizon 2022 Data Breach Investigations Report which lists phishing as two of its four “key pathways” for breach prevention.

In response to this risk, the Office of Management and Budget’s Memo 22-09 pushes organizations towards Zero Trust Cybersecurity Principles that prioritize implementation of phishing resistant authenticators.

“These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. The guidelines cover identity proofing and authentication of users (such as employees, contractors, or private individuals) interacting with government information systems over networks. They define technical requirements in each of the areas of identity proofing, registration, authenticators, management processes, authentication protocols, federation, and related assertions.”

NIST Draft Revision 4 of SP 800-63: Digital Identity Guidelines, released for comment on December 16, 2022

The Federal Government insists organizations must transition to a “zero trust” approach in order to protect critical systems and data. This strategy focuses on stronger enterprise identity and access controls, including multi-factor authentication (MFA), network encryption of all traffic (including internal) that is authenticated as soon as possible, applications securely available over the internet, data/security teams working together for automated security rules based on protection needs, and external partners scrutinizing agency applications.

This strategy will help reduce uncertainty with implementing EO 14028 by strengthening information security norms throughout the Federal enterprise.

Protect Your Organization

To keep keys from falling into the wrong hands, use phishing resistant authenticators which have built-in measures to detect and prevent disclosure of authentication secrets.

These measures should address potential attack vectors associated with phishing such as interception, imitation/spoofing, malware injection and credential theft.

Impersonated Websites

Authenticators can be used to protect against phishing by establishing protected channels for communication and restricting an authenticator’s use. This may be done through name binding, which restricts its usage to a specific domain, or client authenticated TLS, which limits it to a specific connection.

Attacker-in-the Middle

Phishing resistant authenticators utilize cryptographic measures to protect authentication data from attackers-in-the middle, providing an authenticated protected channel for the exchange of information and digitally signing authentication data.

User Entry

Phishing resistant authenticators use cryptographic keys for authentication that are unlocked locally (via biometric or PIN) so no user data is shared over the internet, eliminating the need for manual input.


Phishing resistant authenticators and cryptographic controls, such as digitally signed and time-stamped authentication and message data, can help prevent replay attacks.

Phishing resistant authenticators are secure methods of authentication that protect against malicious phishing attempts. Examples of these authenticators include U.S. federal employee Personal Identity Verification (PIV) cards, as well as FIDO paired with W3C’s Web Authentication API which can be found in hardware keys or embedded directly into devices such as phones and laptops.

Organizations should use phishing resistant authenticators for applications that protect sensitive information or users with elevated privileges, and individuals should explore the security settings of their online accounts to see if these tools are available.

Read Next:

Table of Contents

About the Author

Picture of Katrina Pfitzner

Katrina Pfitzner

Katrina is a developer, designer, author, and thought leader on topics including Business Intelligence and Data. For more from Katrina, find her on twitter and follow her on medium.

All Posts
Picture of Katrina Pfitzner

Katrina Pfitzner

Katrina is a developer, designer, author, and thought leader.

More Business Intelligence and Data Insight

Business Intelligence and Data support docs

Unleash exciting new tools and ways of decision-making for business leaders.

Capabilities related to this Business Intelligence / Data article

Competitor insight. Uncover insight into what matters for you and your organization.
Unleash exciting new tools and ways of decision-making for business leaders.
Unearth hidden consumer needs and preferences and predict future buying behavior.


Get a 30 minute 1:1 consult with a BIG consultant and get a 7 page report on making digital work in your organization with key insight into paths for success and playbooks just for your unique needs.

Please understand not all requests can be met. Please contact us with any questions.