Phishing is a type of cyberattack in which hackers steal users' sensitive information by sending convincing fraudulent emails or messages containing malicious links in disguise. There are many types of popular phishing attacks, namely email phishing, spear phishing, whaling, smishing, and vishing.
A study by Valimail, an email security company, indicates that approximately 3 billion malicious emails are sent daily, which accounts for nearly 1% of all emails sent.
Phishing, unlike most cyberattacks, directly interacts with users and exploits their lack of discernment. In the case of other cyberattacks, like brute-force and dictionary attacks, IT admins can intervene and deploy mechanisms to defend against them. But, in phishing, the success of the attack and the security of an organization depends solely on users and their ability to distinguish and dodge these attacks.
Phishing attacks are cleverly devised to trick users. To ensure that there is a certain degree of truth in the messages, attackers throw disinformation into the mix—like creating a fake scenario that mentions the correct names of people or locations associated with the targeted victim. Phishing emails or messages will aim at creating a sense of urgency in users. In their panic, users fail to validate the authenticity and logic of the message and fall victim to the attack.
Phishing-resistant multi-factor authentication (MFA) is an identity verification technology which is not susceptible to phishing attacks. This is because, contrary to traditional MFA methods like SMS OTPs and push notifications, phishing-resistant MFA does not require action from the user, removing the vulnerable human element from the MFA process.
The US Federal Government's Zero Trust strategy talks about two phishing-resistant MFA technologies: the FIDO2 WebAuthn standard and PIV smart cards. These technologies utilize asymmetric cryptography principles and respond solely to valid authentication requests while also verifying user intent throughout the authentication process.
The FIDO standard was created by the FIDO Alliance, a non-profit consortium consisting of several organizations worldwide. In FIDO2-based authentication technology, the identity provider (IdP) creates a unique cryptographic key pair, also known as asymmetric or public-key cryptography, for the device (mobile device or special token, like YubiKey) that a user enrolls with. Based on this key pair, the IdP can know and trust the device, and all communication to and from the device will be recognized as legitimate and not from a malicious actor. But, since there is a possibility of the device being stolen, biometric authentication is mandated on top of this process. This means that from the user's perspective, biometric authentication will be perceived as the only identity verification method involved.
The personal identity verification (PIV) standard is quite similar to the FIDO2 standard and uses smart cards to provide secure phishing-resistant MFA.
ManageEngine ADSelfService Plus offers adaptive MFA with with 19 different authenticators, including the phishing-resistant smart card authenticator. You can deploy MFA to secure on-premise and cloud application logins, machines, VPNs, OWA, and self-service password management activities. With ADSelfService Plus, you can customize the MFA authentication flow for different user accounts based on their OU and group memberships, so you can more tightly secure privileged accounts and activities from cyberthreats.
Choose from nearly 20 different authenticators, including phishing-resistant authenticators, to verify your users' identities.
Set up different MFA flows for different groups or departments in your organization.
Create your own rules based on which adaptive authentication takes place.
Choose from a wide range of conditions, such as IPs, business hours, and geolocation.
Tailor MFA for users based on their privileges and choose from nearly 20 different authenticators to do so.
Enable context-based MFA with 19 different authentication factors for endpoint and application logins.Learn more
Allow users to access all enterprise applications with a single, secure authentication flow.Learn more
Enhance remote work with cached credential updates, secure logins, and mobile password management.Learn more
Establish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.Learn more
Delegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.Learn more
Create a Zero Trust environment with advanced identity verification techniques and render your networks impenetrable to threats.Learn more