Skip to content

Unphishable MFA

office_of_management_and_budget-removebg-preview-1

"The U.S. government has been pushing people to avoid SMS- and voice call-based multi-factor authentication for years, but their most recent warning is to avoid any MFA that is overly susceptible to phishing."

“For routine self-service access by agency staff, contractors and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, such as protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications”

Roger Grimes
Data-Driven Defense Evangelist at KnowBe4
As threats evolve, so must security.

Unphishable Multi-Factor Authentication

If a user mistakenly grants an attacker access, the consequences can be severe.  Even temporary access to secure systems can be enough for an attacker to register their device and have all future MFA challenges come to their device.  This means permanent access to your network.

Recent attacks have motivated the cybersecurity industry to pivot to an emphasis on strong, unphishable/phishing-resistant MFA.

When a user is tricked into granting an attacker access to a restricted system.  Phishing emails are common, asking for users’ passwords.  MFA was once thought to be the antidote to phishing - even if a user's credentials are compromised, MFA is the last line of defense.

After a user obtains a PIN via SMS, voice, or a hard token, they can be tricked into giving an attacker that PIN.  Alternatively, a user might approve a Push notification when they should have rejected it.

Phishing-resistant authentication, also referred to as unphishable MFA, is designed to prevent the disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

Both Twosense MFA and continuous monitoring products are unphishable by design.

360_F_470323689_uD2fuZ7Up4YAII7NmzNULENVMUxZMzMl
Take The User Out of the Loop

Why can’t Twosense be phished?

Twosense is unique in that the user does not actively participate in the MFA challenge.

Twosense uses machine learning to drive passive biometrics that can guarantee a user's identity continuously throughout the day. This approach is completely unphishable, as there are no keys or codes that can be handed to an attacker in the event of a phishing attempt.

Protecting Your Organization From User Error

Prompt Bombing

Prompt Bombing is a form of social engineering that leverages annoyance, fear, and trickery to gain access to target accounts. Integrating a phishing-proof MFA such as Twosense into an organization's security posture is one proactive way companies can protect themselves from potential attacks.

360_F_484486330_Ulhdv05yOhSnRPab4udkPggDzNCVWpSN
Better Security. Better Experience.

Deploy Phishing-Resistant Multi-Factor Authentication

With 3 simple steps, admins can deploy phishing-resistant MFA everywhere, on every app, all the time.