All about auth
October 24, 2022
In the world of authentication, there are many options when it comes to verifying a user’s identity — but they’re not all created equal. For instance, passwords are easily compromised through common hacking methods like brute force attacks and credential stuffing because they’re often easy to guess or reused across multiple accounts.
This is one reason many security-minded organizations are adopting multi-factor authentication (MFA) — which requires additional authentication factors like email magic links or biometrics — as the standard for identity verification. Still, there are many possible forms and variations of MFA, and some offer better security than others.
In this article, we explore why some MFA flows fall prey to phishing attacks, explain what unphishable MFA does differently, and break down why it’s the best option for protecting your apps and data from malicious actors.
To understand the importance of unphishable MFA, it’s important to first understand the dangers of phishing scams.
Phishing is a form of social engineering. Rather than targeting vulnerabilities in computer systems or hardware, social engineering attacks aim to exploit the human component of an organization or user. They deploy deceptive tactics that trick people into divulging personal information or granting access to a sensitive database through fraudulent messages and/or malicious links. This might look like an email from an unknown contact containing a link that promises some kind of reward or to fix a “problem” the user isn’t aware of. But not all phishing attacks are so overtly suspicious.
For example, password phishing scams frequently mimic legitimate password reset emails and are a popular way to gain access to user credentials. MFA is designed to thwart these scams by employing additional layers of security to verify a user’s identity. With MFA, even if a user’s credentials are compromised, a hacker would have to bypass those extra security measures to gain access to the system, making a successful breach more difficult.
The short answer is, yes. Certain forms of MFA are phishable. Any MFA factor that is tied to a user’s personal phone number or email address—like an SMS one-time passcode, email magic link, or voice authentication—can be compromised by a determined hacker.
Emails are a very common vector for phishing attacks. Hackers use malicious email links that direct users to fake landing pages and proxy servers that record any credentials and one-time passcodes users enter. The hacker can then plug in that information on the back end to gain access. This is also known as a man-in-the-middle (MitM) attack.
With SMS, phishing can get a little more sophisticated, but similarly involves a phisher somehow convincing a user to share a one-time passcode (OTP) or other sensitive information that the hacker can use to gain access to their account.
Unphishable MFA is a multi-factor authentication flow that cannot be compromised by any of the tactics mentioned above. Relying on asymmetric or public-key cryptography, this form of authentication provides the highest level of security.
Asymmetric cryptography encrypts valuable data — in this case, access to a server — using a public key and a private key. The public key is stored on the server, while the private key can only be unlocked by the user. Once unlocked, the private key sends a personalized message to the public key, providing the user with access.
This cryptographic foundation can be paired with different authentication factors in an MFA flow, allowing users to verify their identity securely in the following ways:
This approach offers protection against phishing attacks in four critical ways:
Taken together, these factors explain why this type of MFA is referred to as “unphishable.” And they’re why incorporating unphishable MFA into your website or app is the best way to prevent cyberattacks and safeguard your and your users’ data.
For Stytch, security comes first. Sign up for a free account, and discover our unphishable, easy-to-integrate solutions for passwordless authentication.
Sign up today.