Auth & identity
October 13, 2022
Author: Stytch Team
Unphishable MFA factors like WebAuthn can help you prevent costly data breaches like the ones that recently targeted Uber, Twilio, and Okta.
If you follow business news outlets, you’ve likely heard about the data breach that infiltrated Uber’s security in mid-September. It’s only the most recent in a string of similar security incidents that have impacted companies like Twilio, Okta, Microsoft, Samsung, Cisco, and other companies just this year.
The common thread in all of these attacks? The use of phishable authentication factors, or sensitive user credentials that hackers can intercept and use to break into an account.
In this post, we explain how these data breaches happen and how you can rely on unphishable authentication methods — like WebAuthn — to stop them from happening to you.
Now, you may be asking, didn’t Uber use multi-factor authentication (MFA) to protect its sensitive data? And the answer is probably yes.
But MFA can still be vulnerable to phishing attacks, which use social engineering tactics — like an email that mimics a password-reset flow or a push notification granting access — to trick employees into divulging their credentials.
While phishing attacks often target passwords (something a user knows), they can also undermine auth methods that are typically used as secondary factors in an MFA flow, like SMS one-time passcodes, push notification, or email magic links. In fact, any factor tied to a user’s phone number or email address (something a user has) can potentially be rerouted at the source and compromised by a determined hacker.
Unphishable MFA offers industry-leading security by relying on asymmetric or public-key cryptography. That means valuable data, like factors that grant access to a server, are encrypted using both a public and a private key. While the public key is stored on the server, the private key can only be activated by a specific user. To gain entry to an account, both keys must be triggered, with the private key sending a customized message to the public key to grant access.
To break it down, this two-part MFA flow is immune to remote phishing attacks because it:
WebAuthn is one of the leading forms of unphishable MFA. It encompasses two different categories of device-based authentication factors that can be used to verify a user’s identity:
While WebAuthn has seen relatively low commercial adoption to date, it’s set to ramp up in the coming years, thanks to three significant advancements:
As the auth industry continues to advance — and with the introduction of adjacent technologies like Apple Passkeys that make the use of biometrics easier and more universal — we expect WebAuthn to become an even more popular way to neutralize the risk of remote phishing attempts.
Adopting next-level authentication measures like WebAuthn isn’t just about keeping up with the latest security practices. It’s about protecting your users and your platform against real cyber attacks that are wreaking havoc on even some of the world’s biggest corporations.
It’s as simple as investing in a comprehensive auth strategy that gives you access to a variety of robust solutions at once — and ensuring they include unphishable MFA factors that can defend your data against the worst that hackers can throw your way.
If you’re interested in learning how unphishable MFA factors might work on your platform, reach out to Stytch’s team to book a free consultation. You can also check out our Slack channel to join daily discussions on all things auth.