Introduction & Foreword
Introduction & Foreword
Since its inception in 2015, IDEE knew there was something special about its technology. AuthN by IDEE is (as far as we are aware) the only Multifactor Authentication solution available today that can confidently assert the claim to be phish-proof, which is why we call it MFA 2.0. AuthN by IDEE protects against every single credential phishing and password-based attack (including Adversary in the Middle – AiTM attacks).
The cybersecurity industry has for years been trying to solve the problem of digital identity by fixing passwords. And to no avail. The AuthN solution and phish-proof technology is finally here, but the challenge now is for the industry to catch up and for IT professionals to understand the science and architecture behind it.
We have created this paper to demonstrate the core differences between MFA 1.0 (push, OTP, QR and based on passwords), which was never built to prevent phishing, instead, it was created to stop password-based attacks, which are no longer the #1 attack vector. The attack vector is credential phishing and AiTM attacks, which is why MFA 1.0 is no longer fit for purpose.
Section 1
MFA 2.0
MFA 2.0 is a multifactor authentication process that assures the user identity and authentication attributes cannot be intercepted, modified and/or subverted by an attacker using phishing techniques. It ensures that the complete user identity life cycle including registration, identity proofing, authenticators establishment, authentication, recovery, re-identification, and account termination are immune to phishing attacks.
MFA 2.0 unlike MFA 1.0 does not only prevent attackers from intercepting and tricking users into revealing access credentials, it also, assures that the chain of trust established at the stage of user identity proofing is transitive, cannot be broken and is provable.
Sections 2 & 3
Phishing
According to NIST (National Institute of Standards and Technology) phishing refers to an attack in which the subscriber is lured (usually through an email) to interact with a counterfeit verifier or relying party and tricked into revealing information that can be used to masquerade as that subscriber to the real verifier or relying party. The major component of phishing is "deception". Attackers use deception tactics to convince the user into giving away personal sensitive information such as passwords. Unknown to the victim, the revealed information is utilized by the attacker to access the victim's account, monitor communications, carry out illegitimate transactions and can even take over the account.
This deception can happen in so many ways and via different channels. The typical phishing method is via email, an attacker sends a link to a fake site to a target's email (this is called spear phishing). This can also be done via SMS (smishing) and social media platforms. An attacker can embed a link on a genuine website to redirect unsuspecting users to a fake site or even call a user on their phone to deceive them into granting access to their account (vishing). The one common denominator is the human element. As reported in the Verizon 2022 DBIR — 82% of all breaches were caused by the human element.
How Phishing Works
There are many methods used by attackers to phish their victims. The information targeted determines the method. Here we explain some of the methods.
3.1 Credential Phishing
In credential phishing attacks, attackers disguised as trusted senders of email, SMS messages or legitimate websites trick the victim into entering sensitive information. This is done by presenting login credentials or tricking the victim to click on an attachment or URL which sends the victim to a malicious impostor site. Stolen login credentials and sensitive information are used by cybercriminals to take over the victim's accounts to impersonate the victim for financial and other fraudulent activities.
The main goal of an attacker in credential phishing is to obtain the victim's credentials.
3.2 Prompt Bombing
Prompt bombing (MFA fatigue) relies on the victim to mistakenly granting the attacker access by approving just one push notification. With the victim's username such as an email address, an attacker can initiate login to the victim's account. Each login attempt sends a notification to the victim's phone. Out of annoyance or by mistake, the victim clicks to approve and the attacker is in.
The attacker can then register their own authenticator device and lock the victim out of the account. Here, the victim does not give credentials such as a password or OTP to the attacker. They still have their credentials intact, but they have granted access to the attacker.
3.3 QR Code Phishing
This is similar to prompt bombing in the sense that the attacker relies on the victim to mistakenly scan a QR code displayed on a fake website. This way the victim approves access and lets the attacker in.
The victim does not give credentials such as password or OTP to the attacker. They still have the credentials intact, but they have granted access to the attacker. The attacker can then register their own authenticator device and lock the victim out of the account.
3.4 Consent Phishing
Consent phishing attacks exploit the use of OAuth 2.0 (a protocol that allows third-party apps to access a user's account without the user's interaction).
The goal of a consent phishing attack is to trick users into granting permissions (consent) to malicious attacker-owned applications. The user sign-in takes place genuinely via a trusted identity provider, after which the attacker asks the user to grant certain permissions to the malicious app. If the permission is granted, the service provider issues an access token to the malicious app. With this token, the malicious app can access the user's account programmatically with the user's knowledge. If the user has elevated privileges, the attacker can programmatically create new accounts, install ransomware, and backdoors for continual access to the user and/or organization network.
3.5 Adversary-in-The-Middle (AiTM)
An Adversary-in-the-middle (AiTM) attack is a phishing technique whereby the adversary (attacker) deploys a proxy server between a target (user) and a website.
The proxy server intercepts the user's login credentials and session cookie. Session cookies are used to prove the state of a user session so that the user does not have to be authenticated at every new page they visit on the website.
The intercepted session cookie is injected into the adversary's browser to access the user's account without the need for authentication even when MFA is enabled. This is because the session cookies prove to the website (web server) that the user has already been authenticated and has an ongoing session on the website. As a result, no further authentication is required.
The adversary can perform illegitimate transactions or steal sensitive data, take over the compromised account by changing the authentication credentials (password and MFA), escalate its privileges in the organization's infrastructure, and install ransomware.
Section 4
Why is Phishing a Big Deal?
Phishing, unlike any other attack, leverages the "human element". Even if the technology and processes are securely designed, the people (human error) often give in to let attackers in. The human element drives breaches.
Here are the facts about phishing:
- The majority of all cyberattacks occur through stolen login credentials typically obtained through various forms of phishing attacks — NIST
- All MFA processes using shared secrets are vulnerable to phishing attacks (MFA 1.0). Shared Secret authenticators include memorized secrets, look-up secrets, out-of-band authentication (SMS/PSTN) including push notifications, one-time-passwords (OTP) and others — NIST
- 82% of all breaches were caused by the human element — Verizon 2022 DBIR
- Financial services are one of the most targeted sectors of phishing scams. The majority of the phishing attack campaigns (80.7%) use techniques that bypass MFA (1.0) solutions using one-time password tokens or push notifications. 42% of these attacks are associated with account takeover — Enemy at the Gates: Analyzing Attacks on Financial Services by Akamai
- 78% of Azure AD (Active Directory) identities can be phished — "require only a username and password to authenticate" — Microsoft
- 77% of intrusions are caused by three initial access vectors: phishing, exploitation of known software vulnerabilities and brute-force credential attacks. Phishing accounts for 37% of initial access. 70% of these incidents led to ransomware and business email compromise (BEC) — Palo Alto Networks' 2022 Incident Response Report
- 41% of business email compromise (BEC) involved Phishing — Verizon 2022 DBIR
- Phishing is the costliest form of data breach, USD 4.91 million in breach cost — IBM
Phishing attacks are becoming more sophisticated making it much more difficult to defend. One of these sophisticated tactics is Adversary-in-The-Middle (AiTM) attack that bypasses MFA 1.0. As reported by the Microsoft 365 Defender Research Team, more than 10,000 organizations have been targeted by AiTM phishing campaigns since September 2021 using the Evilginx2 opensource phishing toolkit.
The US government in OMB M-22-09 stipulates that agencies "must use strong MFA throughout their enterprise" as follows: "For agency staff, contractors, and partners, phishing-resistant MFA is required. For public users, phishing-resistant MFA must be an option."
Section 5
Recent Phishing Attacks
Here is a list of some of the recent phishing attacks:
| Company |
What Happened |
Cause of Incident |
Year |
Impact |
| TeamViewer |
Unauthorized access by Russian state-sponsored group APT29 (Midnight Blizzard) |
MFA 1.0 vulnerable to credential phishing |
2024 |
Attackers infiltrated TeamViewer's corporate IT environment |
| Amtrak |
Unauthorized access to customers' accounts |
Credential stuffing due to no MFA |
2024 |
Attackers compromised customers' personal information and travel history |
| Snowflake |
Unauthorized access to Snowflake's systems and that of its customers |
No MFA |
2024 |
Attackers accessed data from hundreds of customers, including Ticketmaster and Santander |
| Okta |
Unauthorized access to Okta systems and support case management systems |
MFA 1.0 vulnerable to Adversary-in-the-Middle attack and prompt-bombing (MFA Fatigue) |
2023 & 2024 |
Hackers accessed Okta's support system, compromising data from its customers; accessed data on Okta customer support system users |
| Microsoft |
Unauthorized access to Microsoft accounts |
MFA 1.0 vulnerable — prompt bombing (MFA Fatigue), Adversary-in-the-Middle attack, no MFA |
2022–2024 |
Attackers stole company's source code; compromised multiple Microsoft customers' accounts; compromised email accounts of senior leadership and employees |
| The British Library |
Unauthorized access by ransomware gang |
Accounts compromised due to lack of MFA |
2023 |
The attacker encrypted the British Library's server estate |
| MGM |
Unauthorized access by Scattered Spider group |
MFA 1.0 vulnerable to phishing |
2023 |
The attackers gained access to sensitive information, including social security numbers and passports, of customers at MGM Resorts and Caesars Entertainment |
| 23andMe |
Unauthorized access to 23andMe systems |
Credential stuffing due to password reuse and no MFA |
2023 |
Attackers compromised 6.9 million users' DNA data |
| Airbus |
Unauthorized access to Turkish Airlines employee's computer |
Vulnerable MFA 1.0 |
2023 |
The attacker gained details on thousands of Airbus employees and vendors, including names, addresses, phone numbers and emails |
| Boeing |
Unauthorized access by LockBit ransomware group |
MFA 1.0 vulnerable to phishing |
2023 |
Attackers accessed sensitive data and demanded a $200 million ransom |
| Cisco |
Unauthorized access by Yanluowang Ransomware Group |
MFA 1.0 vulnerable to phishing |
2022 |
Compromised a series of Citrix servers and obtained privilege access to domain controllers |
Sections 6 & 7
Multifactor Authentication
Multifactor Authentication (MFA) is an authentication mechanism that requires more than one distinct authentication factor and each factor can be on the same device or on separate devices. For an authentication to be considered multifactor, it must use more than one factor.
A factor (authenticator) is something the claimant (user) possesses and controls that is used to verify the user's identity. A factor can be something the user knows (such as memorized secrets), something the user has (such as a device), something the user is (biometric).
An authentication mechanism that requires just one of these factors is referred to as 'single factor authentication.' When at least two of these factors or more are required, it is called multifactor authentication (MFA).
Multifactor authenticator provides more than one distinct authentication factor on the same device. One example of a multifactor authenticator is a device (possession factor), which can only be used after biometric (inheritance factor) authentication.
Another example of a multifactor authenticator is a device (possession factor), which can only be used after PIN/password-based (knowledge factor) authentication. It is important to note that without the second factor (inherence or knowledge), the device cannot be used.
As you can see from the above, multifactor authentication can be achieved using a multifactor authenticator or by combining single authenticators that provide different factors.
Below are some examples of authentication methods and the corresponding factors.
| Authentication Method |
Factors |
Classification |
Examples |
| Password |
Knowledge |
Single authenticator |
Manually entering a password to login to websites |
| Email link |
Possession |
Single authenticator |
Clicking on an email link to login to websites |
| SMS code |
Possession |
Single authenticator |
Manually entering an SMS code to login to websites |
| Password + SMS |
Knowledge + Possession |
Combination of single authenticators |
Manually entering a password and SMS code to login to websites |
| Password + Email code/link |
Knowledge + Possession |
Combination of single authenticators |
Manually entering a password and code to login to websites |
| Password + One-time password (soft/hard token) |
Knowledge + Possession |
Combination of single authenticators |
Manually entering a password and OTP to login to websites |
| Push notification or QR code on a device + Biometric or PIN |
Possession + Inherence or Knowledge |
Multifactor authenticator |
Using an app on a smartphone to approve a notification or scan QR code to login to a website |
| External cryptographic device + Biometric or PIN |
Possession + Inherence or Knowledge |
Multifactor authenticator |
Using FIDO2 security keys with a PIN or biometric to login to websites |
| In-built cryptographic device + Biometric or PIN |
Possession + Inherence or Knowledge |
Multifactor authenticator |
Using WebAuthN with a PIN or biometric to login to websites |
One commonality is that a verifier (the service provider or an identity provider) must store something (shared secret or public cryptographic key) to be able to verify and validate a user identity at the point of access.
MFA 1.0
All MFA which relies on memorized secrets, look-up secrets, and out-of-band authentication (SMS/PSTN) including push notifications, QR codes, one-time-passwords (OTP) is phishable. This MFA has been in use for more than a decade and we call it MFA 1.0. It is phishable because it relies on the vigilance of the user to detect and prevent disclosure of authentication secrets and/or valid authenticator outputs to attackers.
To prevent (resist) phishing, an MFA needs to be able to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system. Only two of the MFA methods listed above can resist phishing – FIDO2 and WebAuthN.
Phishing-resistant MFA uses asymmetric key cryptography for protection from phishing attacks. NIST SP 800-63-3 refer to them as cryptographic authenticators, this includes PIV/CAC cards, FIDO2 security keys and WebAuthN. FIDO2/WebAuthN are multifactor cryptographic authenticators that use a hardware cryptographic module to prove possession of an authentication secret through direct communication, via the endpoint, with a verifier. However, they only focus on a single part of the identity lifecycle, authentication, and thus they are phishing-resistant, but not phish-proof. In order to be phish-proof the MFA needs to address the complete user identity life cycle including registration, identity proofing, authenticators establishment, authentication, recovery, re-identification, and account termination. Thus, phishing resistant MFA is MFA 1.0.
Section 8
MFA 1.0 vs. MFA 2.0
MFA 1.0 focuses solely on the authentication process. Thus we coined the term, MFA 2.0 because it ensures that the complete user identity life cycle including registration, identity proofing, authenticators establishment, authentication, recovery, re-identification, and account termination is immune to phishing attacks. According to NIST "phishing resistant authenticators only address one focus of phishing attacks – the compromise and re-use of authenticators such as passwords and one-time passcodes. They do not mitigate phishing attempts that may have alternative goals such as installing malware or compromising personal information to be used elsewhere."
The inherent problem with MFA 1.0, even when it is phishing resistant, is that identity proofing is decoupled from authenticator provisioning. The cryptographic device authenticators are added as an afterthought. This is exasperated by the so-called best practice of having a "break-glass access and mandatory fall-back authentication method", which is never the same as the primary authentication method and relies on phishable factors such as passwords and OTPs.
Naturally, attackers go for the weakest link and in this case, would compromise the break-glass and/or the fall-back authentication method to gain access and easily add additional phishing-resistant MFAs. Furthermore, phishing-resistant MFAs do not prevent the use of synthetic identity, identity proofing compromise, account takeover, and insider threats. And finally, with initial access brokers (IAB) on the rise, MFA 1.0 cannot prevent malicious insiders from selling access to criminal gangs for financial returns. This is the modus operandi of groups like the Lapsus$ ransomware group, who recruit insiders.
Section 9
How Can Phishing Be Prevented?
The only sure fire way to prevent phishing is to use MFA 2.0. Unlike MFA 1.0, which prevents attackers from intercepting and tricking users into revealing access credentials, MFA 2.0 in addition, assures that the chain of trust established at the stage of user identity proofing is transitive, cannot be broken and is provable from the start to the end of a user identity life cycle.
MFA 2.0 assures that the registration and identity proofing process cannot be compromised, that the established trust in the user identity at identity proofing is explicitly transited to the authenticator's establishment, and that the authenticators are based on a secure cryptographic authenticator device which is tamper-proof and tamper-resistant.
It does not just stop there, MFA 2.0 ensures an end-to-end direct trust between the service provider (relying party) and the authenticator device. This trust cannot and must not be altered by intermediaries (such as identity providers). It ensures that the complete user identity life cycle is immune to phishing, provable and cannot be subverted by a privileged insider.
With MFA 2.0, detection, and prevention of disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system is just not possible. To summarize, a MFA 2.0 solution offers comprehensive prevention of all credential phishing and adversary-in-the-middle attacks as well as MFA bypass attacks, whereas MFA 1.0 solutions only provide phishing resistance but not prevention.
Conclusion
Conclusion
- Any MFA is better than no MFA.
- Any MFA that relies on the vigilance of the user to detect and prevent disclosure of authentication secrets and valid authenticator outputs to attackers (MFA 1.0) is phishable.
- Phishing-resistant, an MFA 1.0 must: prevent capturing of authentication data from the user; detect and prevent the use of authenticators at illegitimate websites; detect and prevent an adversary-in-the-middle from intercepting user authentication session cookies; eliminate the need for manual entry of authentication factors; prevent the replay of valid authentication outputs.
- Phishing-resistant MFA (MFA 1.0) only addresses one type of phishing attack – the compromise and re-use of authenticators such as passwords and one-time passcodes. They do not prevent the use of synthetic identity, identity proofing compromise, account takeover, insider threats and other types of attacks.
- MFA 1.0 solutions are not the same as MFA 2.0 solutions.
- Both phishing-resistant MFA 1.0 and MFA 2.0 use asymmetric key crypto where the private key is used to digitally sign, and the public key is used to verify the signature. It provides authenticity and integrity protection as well as non-repudiation.
- MFA 2.0 does not only detect and prevent interception and usage of authenticators on fake websites. It assures that the chain of trust established at the stage of user identity proofing is transitive, unbreakable and provable from the start to the end of a user identity life cycle.
- MFA 2.0 ensures an end-to-end direct trust between the service provider (relying party) and the authenticator device. This trust cannot and must not be altered by intermediaries (such as identity providers). It ensures that the complete user identity life cycle is immune to phishing, provable and cannot be subverted by a privileged insider.
- The only sure fire way to prevent phishing is to use MFA 2.0.
Want to see MFA 2.0 in action?
Book a short call — we'll walk you through the architecture and answer your questions.
Book a Demo