"The U.S. government has been pushing people to avoid SMS- and voice call-based multi-factor authentication for years, but their most recent warning is to avoid any MFA that is overly susceptible to phishing."
“For routine self-service access by agency staff, contractors and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, such as protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications”
Unphishable Multi-Factor Authentication
If a user mistakenly grants an attacker access, the consequences can be severe. Even temporary access to secure systems can be enough for an attacker to register their device and have all future MFA challenges come to their device. This means permanent access to your network.
Recent attacks have motivated the cybersecurity industry to pivot to an emphasis on strong, unphishable/phishing-resistant MFA.
When a user is tricked into granting an attacker access to a restricted system. Phishing emails are common, asking for users’ passwords. MFA was once thought to be the antidote to phishing - even if a user's credentials are compromised, MFA is the last line of defense.
After a user obtains a PIN via SMS, voice, or a hard token, they can be tricked into giving an attacker that PIN. Alternatively, a user might approve a Push notification when they should have rejected it.
Phishing-resistant authentication, also referred to as unphishable MFA, is designed to prevent the disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.
Both Twosense MFA and continuous monitoring products are unphishable by design.
Why can’t Twosense be phished?
Twosense is unique in that the user does not actively participate in the MFA challenge.
Twosense uses machine learning to drive passive biometrics that can guarantee a user's identity continuously throughout the day. This approach is completely unphishable, as there are no keys or codes that can be handed to an attacker in the event of a phishing attempt.
Prompt Bombing is a form of social engineering that leverages annoyance, fear, and trickery to gain access to target accounts. Integrating a phishing-proof MFA such as Twosense into an organization's security posture is one proactive way companies can protect themselves from potential attacks.
Deploy Phishing-Resistant Multi-Factor Authentication
With 3 simple steps, admins can deploy phishing-resistant MFA everywhere, on every app, all the time.