"Phishing-resistant MFA: Protecting Against Ransomware Threats"
Cybersecurity has become a matter of national emergency as the threat of ransomware continues to grow and impact organizations globally. The National Cyber Security Centre (NCSC) has unveiled new services to coincide with the latest phase of its Cyber Aware campaign and has urged firms to take protective action to bolster their resilience against ransomware threats. However, a recent declaration by NCSC founder Ciaran Martin that Britain is at the forefront of global cybersecurity efforts could mistakenly give UK firms a false sense of confidence.
The reliance on legacy multi-factor authentication (MFA) that utilizes phishable factors, such as passwords, one-time passwords (OTP), and SMS push notifications, is no longer effective against cybercriminals. Attackers can easily bypass these measures using social engineering and other phishing tactics, allowing them to gain access to sensitive data and systems. In a new study of online banks, serious security issues were identified that potentially put their UK business customers at risk, particularly their continued dependence on traditional SMS-based security protocols to deliver access to accounts.
While MFA has long been considered good practice for securing online access to resources, the continued reliance on ineffective MFA is the equivalent of simply tying a piece of string across a doorway and expecting cybercriminals to view this as a deterrent. Research shows that the use of stolen or phished credentials is the primary delivery method for ransomware attacks, with 83% of UK businesses targeted with phishing in 2022. Attackers are logging into remote access tools to deposit the malware. Unfortunately, the legacy MFA that was supposed to fix the password vulnerability is now very easily bypassed.
To protect against these threats, organizations should transition to modern, phishing-resistant MFA that eliminates weak factors like passwords and OTPs. This means implementing passwordless solutions that use cryptographic FIDO passkeys as one factor and secure identity features built into modern devices like facial recognition or fingerprints or local pin codes to provide a second factor for proof of identity. In other words, removing all weak factors such as passwords and legacy MFA eliminates the risk of password-based attacks and multi-factor authentication bypass which are the biggest cause of data breaches.
The US has set a strong precedent for security by requiring phishing-resistant MFA for all government agencies and entities working with the government. In the UK, mandating the use of phishing-resistant MFA would go a long way towards stopping cybercriminals from using compromised credentials to subvert the authentication process and gain access to networks and accounts. Ideally, 2023 should be the year in which public and private sector organizations are required to upgrade their identity systems to support the implementation of phishing-resistant MFA on a variety of internal and external resources such as email systems, file servers, remote access systems, and more.
In the meantime, organizations should take the initiative and implement phishing-resistant MFA sooner rather than later. Doing so will elevate how they protect their systems, users, and customers from unauthorized activities by external attackers. With the increasing severity of ransomware attacks, organizations need to prioritize their cybersecurity measures and upgrade to modern, phishing-resistant MFA to safeguard against these evolving threats.