top of page
Blog article

Blog article

What is a Phishing-resistant MFA?

Are you taking measures against the theft of authentication information through phishing attacks? "Theft of personal information through phish" has been ranked as a threat to individuals for six consecutive years in the "Top 10 Information Security Threats 2024" published by IPA. Phishing is an attack that leads users to a fake website with a similar URL and steals personal or authentication information. There has been a steady stream of incidents of phishing attacks where thieves log into web services using stolen authentication information and obtain money through fraudulent transfers. Setting up MFA (multi-factor authentication) is one effective way to counter phishing attacks. However, in recent years, there have been cases where MFA has been breached by attacks that trick users into performing MFA and steal authentication and session information. So, what kind of MFA can be said to be resistant to phishing? Let me explain with some images.


Increasingly sophisticated phishing attacks


Many people have already implemented traditional MFA using time-based one-time passwords (TOTP) or SMS as a countermeasure against phishing attacks. However, as attack methods become more sophisticated, there are cases where MFA is breached. I will explain this using the image below.

Examples of traditional MFA being victimized by phishing

  1. The attacker prepares a fake website (phishing website) that acts as a relay server between the official website and the user and sends the user an email directing the user to the fake website.


  2. The user accesses the fake website "login.yubi0n.com" and enters login information (ID/password).

  3. The fake website that receives the login information forwards it to the official website "login.yubion.com". ※ The fake website only relays communication between the user and the official website. So the user feels as if they are logging in to the official website.

  4. The official website requests an MFA. Here, it sends an authentication code via SMS and asks the user to enter it.

  5. The user responds to the MFA request. Here, the received authentication code is entered into the fake website.

  6. The fake website that received the MFA information will forward it to the official website.

  7. If the MFA information is correct, the official website will return a successful login session.

    ※ At this time, the user feels as if they have logged in to the official website as usual, and does not realize that their information has been stolen.

  8. The attacker uses session information obtained from the fake website to access the official website.



Even if you have set up MFA in this way, authentication information and session information may be stolen and unauthorized access may be obtained through man-in-the-middle phishing. So, can MFA not prevent phishing?


It is possible to prevent phishing with MFA using a "passkey". Since major mobile carriers have started to support passkeys, you may have used them without even realizing it. Next, I will explain why passkeys are resistant to phishing.



Phishing-resistant "passkeys"


A passkey is a simple and secure authentication method that replaces passwords. It is based on an authentication technology called FIDO, and when authentication is required, you log in using a smartphone or other device by biometric verification (face/fingerprint) or by entering a PIN. Also, unlike passwords, passkeys cannot be guessed, making them highly resistant to phishing attacks. Why it is resistant to phishing attacks? As before, I will explain this using the example of a man-in-the-middle phishing attack.


Example of MFA using passkey to prevent phishing attacks

  1. The user is sent an email inviting them to a fake website.

  2. The user accesses the fake website "login.yubi0n.com" and enter their login information (ID).

  3. The fake website that received the login information will forward it to the official website ("login.yubion.com").

  4. The official website requests MFA. Here, it requests MFA using a passkey. For details on the FIDO authentication sequence, please see here.

  5. When a user's smartphone receives an MFA request using a passkey, it automatically checks that the doamin name (URL) is correct.


    → If you use a smartphone that has already registered MFA on the official website "login.yubion.com" to make an MFA request on the fake website "login.yubi0n.com", the domain name is different. So no authentication information will be returned. (Here, the lowercase letter o and the number 0 are different.)

  6. The fake website will not return an MFA response and will fail to log in.



In this way, MFA using passkey prevents authentication information from being returned to fake websites by using the doamin check mechanism,preventing the theft of authentation information through phishing attacks. Passkey authentication allows you to log in easily and securely by simply taking out your smartphone or other device and entering biometric authentication (face/fingerprint) or a PIN. If the web service/application you are using supports passkeys, we recommend that you try using them.


However, there may be cases where you want to use a passkey but cannot use your personal smartohone at work. In such cases, you can use a "security key" that supports FIDO authentication. Since we are a distributor of security keys, we would like to introduce some of the FIDO-compatible security keys we handle.



FIDO-compatible security keys


Beside smartphones, you can use a "security key" that supports FIDO2, the latest FIDO specification, to log in with a passkey. However, some services may not support the use of security keys. So please check the service's MFA explanation page to make sure that security keys can be used.


Below is alist of FIDO2-compatible security keys that we handle.



There are two types of security keys: one that requires a PIN code to be entered (biometric items unchecked), and one that confirms biometrics (biometric items checked) during authentication. You can choose between the PIN input type and the biometric verification type depending on the usage scenario. We also sell a variety of USB forms, including models that support NFC and BLE. Please buy from Amazon. Or contact us if you wish to purchase in bulk.



The security key you purchased will require initial settings (PIN/biometris).

Please refer to the blogs below for setup.


For those who have a Windows machine:


For those who use a macOS or Linux (GUI) machine:



Finally


I hope you understand why MFA using a passkey is resistant to phishing. In the future, passkeys may become widespread and the use of passkeys may become commonplace for many people. This time, I explained the use of MFA with a passkey, focusing on Web services. YubiOn also offers a solution that introduces MFA using a passkey when logging on to a PC. You can try it for free, so please give it a try.


  • YubiOn FIDO Logon YubiOn FIDO Logon is a cloud service that provides multi-factor authentication using a passkey to log on to a PC. It also has convenient features such as integrated management and remote control functions on the Web management console. Please check the product introduction page for details. Also, for details on installation procedures, please refer to this setup guide.








Comments


Commenting has been turned off.
bottom of page