If you own a computer, watch the news, or spend virtually any time online these days, you have probably heard the term “phishing.” Never in a positive context…and possibly because you have been a victim yourself.

Phishing refers to various attacks intended to convince you to forfeit sensitive data to an imposter. These attacks can take several different forms, from spear-phishing (which targets a specific individual within an organization) to whaling (which goes one step further and targets senior executives or leaders). Furthermore, phishing attacks occur over multiple channels or even across media, from the more traditional email-based attacks to those using voice–vishing – to those coming via text message–smishing. Regardless of the type or channel, the attack intends to exploit human nature to gain control of sensitive information (citation 1). These attacks typically use several techniques, including impersonated websites, attacker-in-the-middle, and relay or replay to achieve their desired outcome.

Due to their effectiveness and simplicity, phishing attacks have rapidly become the tool of choice for baddies everywhere. As a tactic, it is used by everyone from low-level criminals looking to commit fraud to sophisticated nation-state attackers seeking a foothold within an enterprise network. And, while almost any kind of information can be targeted, the most damaging attacks often focus on your password, pin, or one-time passcodes – the keys to your digital realm. The combination can be catastrophic. The Verizon 2022 Data Breach Investigations Report lists phishing and stolen credentials (which may be harvested during phishing attacks) as two of the four “key pathways” that organizations must be prepared to address to prevent breaches (citation 2). In recognition of the threat posed by phishing – the Office of Management and Budget’s Memo 22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” prioritizes the implementation of phishing-resistant authenticators (citation 3).   

So – how do you keep your sensitive data from falling into the wrong hands?  What constitutes a phishing-resistant authenticator? NIST Special Publication DRAFT 800-63-B4 defines it as “the ability of the authentication protocol to detect and prevent disclosure of authentication secrets and valid authenticator outputs to an impostor relying party without reliance on the vigilance of the subscriber.” To achieve this, phishing-resistant authenticators must address the following attack vectors associated with phishing:

• Impersonated Websites – Phishing-resistant authenticators prevent using authenticators at illegitimate websites (known as verifiers) through multiple cryptographic measures. This is achieved by establishing authenticated secure channels for communications and methods to restrict the context of an authenticator’s use. For example, this may be achieved through name binding – where an authenticator is only valid for a specific domain (I can only use this for one website). It may also be achieved through binding to a communication channel – such as in client-authenticated TLS (I can only use this over a specific connection).
• Attacker-in-the-Middle - Phishing-resistant authenticators prevent an attacker-in-the-middle from capturing authentication data from the user and relaying it to the relying website. This is achieved through cryptographic measures, such as leveraging an authenticated protected channel to exchange information and digitally signing authentication data and messages.
• User Entry – Phishing-resistant authenticators eliminate the need for a user to type or manually input authentication data over the internet. This is achieved through the use of cryptographic keys for authentication that are unlocked locally through a biometric or pin. No user-entered information is exchanged between the relying website and the authenticator itself.
• Replay – Phishing-resistant authenticators prevent attackers from using captured authentication data later in time. Supporting cryptographic controls for restricting context and preventing attacker-in-the-middle scenarios are also preventative of replay attacks, mainly digitally signed and time-stamped authentication and message data.

As complicated as this may seem, several practical examples of phishing-resistant authenticators exist today. The most ubiquitous form of phishing-resistant authenticator for U.S. federal employees is the Personal Identity Verification (PIV) card; they leverage public-key cryptography to protect authentication events. Commercially, FIDO authenticators paired with W3C’s Web Authentication API are the most common form of phishing-resistant authenticators widely available today. These can be separate hardware keys or embedded directly into platforms (for example, your phone or laptop). The availability, practicality, and security of these “platform authenticators” increasingly put strong, phishing-resistant authenticators into users’ hands without the need for additional form factors or dongles.

Not every transaction requires phishing-resistant authenticators. However, for applications that protect sensitive information (such as health information or confidential client data) or users with elevated privileges (such as admins or security personnel), organizations should be enforcing or offering phishing-resistant authenticators. Individuals should explore the security settings for their more sensitive online accounts to see if phishing-resistant authenticators are available and use them if they are. These tools are often more accessible, faster, and more convenient than the MFA – such as SMS text codes – they may currently use.

Ultimately, phishing-resistant authenticators are a critical tool in personal and enterprise security that should be embraced and adopted. They are not, however, a silver bullet. Phishing-resistant authenticators only address one focus of phishing attacks – the compromise and re-use of authenticators such as passwords and one-time passcodes. They do not mitigate phishing attempts that may have alternative goals, such as installing malware or compromising personal information to be used elsewhere. Phishing-resistant authenticators should be paired with a comprehensive phishing prevention program that includes user awareness and training, email protection controls, data loss prevention tools, and network security capabilities.