ITBusiness.ca

Use these phishing-resistant authenticators, says NIST

Image by deepblue4you via GettyImages.ca

Want to stop hackers from using phishing as leverage to get into your IT environment? Start using phishing-resistant multifactor authenticators such as hardware keys and identity verification cards.

That’s the advice of the U.S. National Institute for Standards in Technology (NIST).

“Not every transaction requires phishing resistant-authenticators,” the agency said in a blog last week. “However, for applications that protect sensitive information (such as health information or confidential client data), or for users that have elevated privileges (such as admins or security personnel) organizations should be enforcing, or at least offering, phishing-resistant authenticators.”

These tools are often easier, faster, and more convenient than the multifactor authentication procedures – such as text-based SMS codes – that employees may currently be using, the agency added.

What’s a phishing-resistant authenticator? Anything that doesn’t let an attacker use phishing to get an authenticator — like an MFA code — that goes along with users’ credentials for accessing IT systems or facilities.

That’s because threat actors are increasingly finding ways to trick employees into accidentally giving up their codes. One trick is getting victims to unwittingly install malware allowing a man-in-the-middle attack to steal the authentication code. The attacker  pretends in an email to be an IT staffer with a password verification app the employee has to download. An important part of the scheme is creating a web page that looks like it was created by the employer where the app is to be downloaded. The app intercepts the employee’s username, password and authenticator code.

One of the most common examples of a phishing-resistant authenticator is the Personal Identity Verification (PIV) card used by government employees and contractors. The card has a user’s photo and biometric information like a fingerprint that are protected with public-key cryptography. Insert the card in a reader and access is granted.

Commercial examples of phishing-resistant authenticators are USB, Bluetooth or NFC-based hardware keys like the YubiKey, Google Titan key and others for multi-factor authentication. These use the FIDO Alliance U2F Open authentication standard. As a physical key, there is nothing an attacker can intercept. The user inserts the key into a USB slot on the registered device (or the device is wirelessly recognized) and then presses a button on the key — or use the included fingerprint reader — for authentication.

Any phishing-resistant authenticators must address these attack vectors associated with phishing, says NIST:

Phishing-resistant authenticators are a critical tool in personal and enterprise security that should be embraced, says NIST. “They are not,” the blog adds, “a silver bullet. Phishing-resistant authenticators only address one focus of phishing attacks – the compromise and re-use of authenticators such as passwords and one-time passcodes. They do not mitigate phishing attempts that may have alternative goals such as installing malware or compromising personal information to be used elsewhere.

“Phishing resistant authenticators should be paired with a comprehensive phishing prevention program that includes user awareness and training, email protection controls, data loss prevention tools, and network security capabilities.”

Exit mobile version