Phishing-Resistant MFA

Those who are visiting this space know that we recently joined forces with OneIDLab. If you’re deep into encryption, identity management and single sign-on (SSO), you probably already understand why it’s a big deal. This blog post is intended to be a bit of a primer in helping to explain the trends in cybersecurity that make our two companies work so well together.

So let’s talk about one of the most common cyber threats – phishing – how to layer security to protect against it, and wrap up with a simple overview of how Tozny and OneIDLab have a solution.

Security Step 1: Use a password

Let’s say your users have company email accounts, and they must use passwords to open them. That is the first level of security to prevent a cybercriminal from using a legitimate employee email address to send an invoice to the accounting department.

Attacker Step 1: Steal the password

There are two main ways that criminals get a user’s password: The user has the same (or a very similar) password on another account and that account got hacked, or the criminal tricks the user into typing the password on a (fake) website the criminal controls. That second method is phishing. Both of these approaches are low-cost and high-value, so attackers use them all the time.

Security Step 2: Use Multi-Factor Authentication (MFA)

Now the world has gotten smarter, more aware of the primary ways that users get tricked into sharing their passwords. So many organizations are adopting multi-factor authentication (MFA), which means users need more than just a password, they need a second way to show they are legitimate. Two popular forms of MFA are random, rotating six-digit codes called time-based one-time passwords (TOTP) – Google Authenticator is a commonly used one – and SMS, where a code is sent to the user, who enters it.

Attacker Step 2: Use a Phishing Scheme to Attack the MFA

The good news is that both TOTP and SMS provide much stronger protection for your users’ accounts, and you should implement them if possible. The bad news – they, too, are susceptible to phishing attacks.

Imagine this: the criminal has tricked a user into typing his/her password into the criminal’s website. Then they trick the user into typing the MFA code into their website. That’s not at all far-fetched. In fact, if the user’s been tricked once into providing the password, he/she is almost guaranteed to provide the MFA code, too. The code can only be used once (that is, not for multiple intrusions into your network), but that’s all right from the criminal’s point of view – depending on their objective, they only need to get inside once.

Security Step 3: Use a Token as Part of MFA*

FIDO tokens – Fast ID Online – are a powerful solution to phishing threats. They are most commonly a physical hardware token that a criminal would have to physically steal in order to use it. They are not susceptible to phishing attacks! Here’s why:

Go back to the previous scenario – the criminal has tricked the user into entering their password into the fake website. Then the criminal tricks the user into triggering their MFA by using the hardware token. It works – the user turns on the token and it connects to the fake website.

But the token will NOT send the MFA authentication to the attacker, because the user’s browser and token work together to prevent it! It doesn’t matter that the person has been tricked; the token can’t be tricked and can’t be phished. That’s because during enrollment of the token, the trusted website had to prove its own identity, and the token can only be used for that website in subsequent logins.

*Security Step 3(a): A FIDO Token Can’t be Hacked or Phished

An aside: What the criminal doesn’t know is that rather than a TOTP or SMS code generated and sent to the user for authentication, the user’s second factor is phishing-resistant. The web site proves to the browser that they are the legitimate website. This prevents the browser from authenticating to the attacker’s fake site. Then the FIDO token uses public key cryptography to prove the user’s identity to the website. In that sense, the website, browser, and token all collaborate to prove that both the user and the website are legitimate. Here’s a link if you want an in-depth technical explanation.

Attacker Step 3: Move on to a Softer Target

Attackers of any stripe, whether hackers, criminals or even nation-states, will stop phishing for that user’s MFA. Most phishing attacks are like hit-and-run crimes; the attacker wants to get in and get out quickly, with a minimum amount of effort. They aren’t going to take the time or effort to search for another way into the network using that user’s credentials. And if all the users on that system have FIDO tokens, the attacker won’t get in. Your network has become too much of a headache to bother with.

So How Does This Explain the Tozny-OneIDLab Merger?

Tozny already provides an identity management platform, with SSO, integrated into our end-to-end encryption platform. Even for password login to our SSO system, we use advanced encryption to protect your users’ passwords from ever going out onto the network.

With the merger of Tozny and OneIDLab, we’ve added TozCard to our product lineup. This FIDO token has cryptographic authentication, anti-phishing protections and an outstanding card form factor so the token can be an ID card or kept in users’ wallets. It incorporates Bluetooth, USB-C and NFC for FIDO login, and it works with Tozny’s own SSO or any FIDO-compliant login.

Our identity management platform is built for rapid, flexible deployment of TozCards. This allows IT administrators to securely manage hardware and software credentials quickly with Tozny’s cloud-based platform. The combination of the platform and TozCard delivers complete lifecycle management, including on-boarding, off-boarding and recovery – which solves the challenges of self-provisioning and management of the tokens.

TozCard incorporates Bluetooth, USB-C and NFC for FIDO login, and it works with Tozny’s own SSO or any FIDO-compliant login.

Next Steps

We’re going to use this blog on a regular basis to explain the ins and outs of cybersecurity, the kinds of threats that are emerging and the approaches that will counter those threats. We’re certainly going to use the opportunity to explain how Tozny addresses the hostile internet landscape – but we also promise to use this space to give readers a better understanding of what those threats are and how they can respond to them.

You can follow us on Twitter (@tozny), LinkedIn (@tozny) and on Facebook (@toznyllc). We look forward to hearing from you.