What is Phishing Resistant Multi-Factor Authentication?

Authentication is the process of confirming someone’s identity.  It is the process of confirming whether you are the person you claim to be. Each time you try to access an account on a website or an application with your username and password. You are simply going through an authentication process.  In this guide, you will learn What Phishing Resistant Multi-Factor Authentication is. Please see how to Export and remove Passwords in Firefox, and how to Install PostgreSQL on Windows server as Veeam Database Engine.

Authentication is usually used with authorization but they are both different. What authentication does is to confirm your identity. Then authorization will now determine what you can and cannot do on the application. Authorization will address the permission you have to access a system resource. Please see the image below for more information.

You can further read about How to implement Interactive Authentication using MSAL dotNET. Also, see How to Change Two-Factor Authentication Methods in Microsoft 365/Office 365, and How to Set Two-Factor Authentication for SSH in Linux

What is the Problem with Authentication?

Authentication is usually the combination of a username and password which can be used to confirm your identity. But that is not enough to guarantee your account is secure. Both username and password can be compromised by cyber attackers.

It is sad to say that there are multiple ways a password can be compromised. For example, an attacker can use a password-phishing website to harvest your passwords. Or use keystroke logging malware that records your passwords. Many people still make use of passwords that include weak characters that are easy to guess. People make use of the same password across different platforms.

While passwords have been used as a form of security for many years. It has shown that it is weak when used alone as a form of authentication. 

Please, see Why Software KVMs such as Synergy is replacing Hardware KVMs, and Migrate Veeam One Database from SQL Server 2017 to 2025.

Why 2FA or MFA is Not Strong Enough?

2FA Stands for Two Factor and MFA stands for multi-factor authentication. This means that before you can access an account or application. You must go through more than one authentication process not just supplying your username and password. Both the 2FA and MFA security approaches are the same.

After the identification of security flaws, there was a need for a far stronger form of authentication. This brought about two-factor authentication which is always something you know (your password) and something you have (your mobile device) or something you are (biometrics).

Let us assume your password has been compromised. The attacker will still find it difficult to access your account. Because there is still another form of authentication remaining. Which is your mobile device and it is only accessible by you.

Another good example is your ATM card. Someone can only make use of the ATM Card when the person knows your PIN and also have access to the ATM Card. This security approach is much better than the pure password-only form of authentication and that is what many organizations still adopt today.

Just as new security approaches keep coming out. Cyber attackers will keep innovating new strategies to compromise every new security approach which has brought out some problems with the 2FA security approach.

What are the Problems with Two-factor or Multi-factor authentication?

Whether 2FA or MFA they follow this rule of first login to your account with your username and password, then you will have:

1. An OTP code is sent to your mobile device.
2. An OTP code is generated in a mobile app like an authenticator on your mobile device.
3. A call can be put to your phone to deliver the OTP.

There are several ways you can have your MFA setup but the security flaw with this approach is that their human interaction is required. When human interaction is needed then it is very possible to have an element of phishing within. What this means is that a cyber attacker can appear in the middle of an authentication process. 

After a user logs in to an application and supplies the MFA Code to complete the authentication process that same MFA Code can be stolen by a cyber attacker and used to compromise the user’s account. This means that the MFA Security approach is very phishable.

This article is not saying the MFA approach is no longer secure. But it is still far better than password-alone authentication.

And we are not saying you should stop using it rather MFA security approach can be improved upon because cyber attackers will continue to get better at exploiting the human side of it. That is why we shall be talking about phishing-resistant MFA.

What is Phishing Resistant Multi-factor Authentication?

Phishing-resistant multifactor authentication is the same as the authentication process described above. What is different is that there is no interaction with humans. The approach that is used is called FIDO.

FIDO is a standard created by the FIDO Alliance, which is a non-profit organization that consists of several people from different organizations from all over the world. 

FIDO stands for (Fast IDentity Online) which is a set of open, standardized authentication protocols intended to remove the use of passwords. Which can now be categorized as no longer effective but outdated from a security perspective.

Big organizations like Google, Amazon, Microsoft, and Apple accept this FIDO security approach that is designed and implemented with the help of “WebAuthn”.  How to use a Fido Certified U2F Key for Authentication

How does Phishing Resistant MFA work?

FIDO authentication makes use of standard public-private key cryptography methods to provide phishing-resistant authentication. When you are registering on an application using your device, the device will create a new cryptographic key pair that is bound to the web service you registered on.

Your device will retain the private key and register the public key with the online service. After registration, your device will create a new key pair called a passkey, your device stores the private key and the corresponding public key is sent to the online service.

So when trying to log in, the device will present the private key created during registration before authentication can be successful.

But note that the private key can be used only if you are able to unlock the device with your biometric like fingerprint, PIN, or an external device like biometric reader.

These cryptographic key pairs, called passkeys, are unique to every online service there is no way an online service will have the same passkeys as passwords, passkeys are resistant to phishing attacks and stronger than passwords and are designed in such a way that they secrets are never shared with no other person or to another device.

Please note that phishing-resistant MFA is a very strong authentication mechanism that is highly resistant to phishing attacks. But there are other phishing attacks e.g. (Email Phishing) that do not have anything to do with authentication.

FAQs

I hope you found this blog post on What is Phishing Resistant Multi-Factor Authentication? Interesting and helpful. In case you have any questions do not hesitate to ask in the comment section.