If you own a computer, watch the news, or spend virtually any time online these days you have probably heard the term “phishing.” Never in a positive context…and possibly because you have been a victim yourself.
Phishing refers to a variety of attacks that are intended to convince you to forfeit sensitive data to an imposter. These attacks can take a number of different forms; from spear-phishing (which targets a specific individual within an organization), to whaling (which goes one step further and targets senior executives or leaders). Furthermore, phishing attacks take place over multiple channels or even across channels; from the more traditional email-based attacks to those using voice – vishing – to those coming via text message – smishing. Regardless of the type or channel, the intent of the attack is the same – to exploit human nature to gain control of sensitive information (citation 1). These attacks typically make use of several techniques including impersonated websites, attacker-in-the-middle, and relay or replay to achieve their desired outcome.
Due to their effectiveness and simplicity, phishing attacks have rapidly become the tool of choice for baddies everywhere. As a tactic, it is used by everyone from low level criminals looking to commit fraud, to the sophisticated nation state attackers seeking a foothold within an enterprise network. And, while almost any kind of information can be targeted, often the most damaging attacks focus on your password, pin, or one-time passcodes – the keys to your digital realm. The combination can be catastrophic. The Verizon 2022 Data Breach Investigations Report lists phishing and stolen credentials (which may be harvested during phishing attacks) as two of the four “key pathways” that organizations must be prepared to address in order to prevent breaches (citation 2). In recognition of the threat posed by phishing – the Office of Management and Budget’s Memo 22-09 “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” prioritizes implementation of phishing resistant authenticators (citation 3).
So – how do you keep your keys from falling into the wrong hands? What constitutes a phishing resistant authenticator? NIST Special Publication DRAFT 800-63-B4 defines it as “the ability of the authentication protocol to detect and prevent disclosure of authentication secrets and valid authenticator outputs to an impostor relying party without reliance on the vigilance of the subscriber.” To achieve this, phishing resistant authenticators must address the following attack vectors associated phishing:
- Impersonated Websites – Phishing resistant authenticators prevent the use of authenticators at illegitimate websites (known as verifiers) through multiple cryptographic measures. This is achieved through the establishment of authenticated protected channels for communications and methods to restrict the context of an authenticator’s use. For example, this may be achieved through name binding – where an authenticator is only valid for a specific domain (I can only use this for one website). It may also be achieved through binding to a communication channel – such as in client authenticated TLS (I can only use this over a specific connection).
- Attacker-in-the Middle – Phishing resistant authenticators prevent an attacker-in-the-middle from capturing authentication data from the user and relaying it to the relying website. This is achieved through cryptographic measures, such as leveraging an authenticated protected channel for the exchange of information and digitally signing authentication data and messages.
- User Entry – Phishing resistant authenticators eliminate the need for a user to type or manually input authentication data over the internet. This is achieved through the use of cryptographic keys for authentication that are unlocked locally through a biometric or pin. No user entered information is exchanged between the relying website and the authenticator itself.
- Replay – Phishing resistant authenticators prevent attackers from using captured authentication data at a later point in time. Supporting cryptographic controls for restricting context and to prevent attacker-in-the-middle scenarios are also preventative of replay attacks, particularly digitally signed and time-stamped authentication and message data.
As complicated as this may seem, there are several practical examples of phishing resistant authenticators in place today. For U.S. federal employees, the most ubiquitous form of phishing resistant authenticator is the Personal Identity Verification (PIV) card; they leverage public-key cryptography to protect authentication events. Commercially, FIDO authenticators paired with W3C’s Web Authentication API are the most common form of phishing resistant authenticators widely available today. These can take the form of separate hardware keys or be embedded directly into platforms (for example your phone or laptop). Availability, practicality, and security of these “platform authenticators” increasingly puts strong, phishing resistant authenticators into user’s hands without the need for additional form factors or dongles.
Not every transaction requires phishing resistant authenticators. However, for applications that protect sensitive information (such as health information or confidential client data) or for users that have elevated privileges (such as admins or security personnel) organizations should be enforcing, or at least offering, phishing resistant authenticators. Individuals should explore the security settings for their more sensitive online accounts to see if phishing resistant authenticators are available and make use of them if they are. In reality, these tools are often easier, faster, and more convenient than the MFA – such as SMS text codes – they may currently be using.
In the end, phishing resistant authenticators are a critical tool in personal and enterprise security that should be embraced and adopted. They are not, however, a silver bullet. Phishing resistant authenticators only address one focus of phishing attacks – the compromise and re-use of authenticators such as passwords and one-time passcodes. They do not mitigate phishing attempts that may have alternative goals such as installing malware or compromising personal information to be used elsewhere. Phishing resistant authenticators should be paired with a comprehensive phishing prevention program that includes user awareness and training, email protection controls, data loss prevention tools, and network security capabilities.