As cyber-attacks intensify in frequency and sophistication, the human element is crucial – but yet often remains the weakest link.
A majority of breaches are executed through stolen credentials and the exploitation of human error. A recent Verizon DBIR report found that more than 80% of cyber-attacks are a result of stolen login credentials.
The human factor has emerged as a predominant cause of cyber vulnerability, underlining the necessity for robust, human-centered cybersecurity strategies.
Geoff Schomburgk, Vice President, Asia Pacific & Japan, Yubico, shares with CybersecAsia the strategy of developing phishing-resistant users, instead of simply adopting phishing-resistant authentication tools.
Despite organizations aiming to improve their cyber defenses by implementing multi-factor authentication (MFA), why does phishing remain a significant challenge requiring a more proactive cybersecurity approach?
Geoff Schomburgk (GS): Stolen passwords are one of the most common ways cybercriminals gain unauthorized access to a computer, network or system – with phishing being one of the greatest cybersecurity risks that organizations face.
The rise in AI-driven cyber-attacks means organizations are simultaneously facing more persistent and increasingly sophisticated threats from phishing attacks which specifically target the registration, authentication, and recovery processes of employees.
While any form of MFA is better than none, not all forms of MFA are created equal. For example, legacy MFA tools like SMS-based One-Time Passwords (OTP) codes and mobile authenticator apps have been repeatedly proven to be easily compromised by bad actors.
In Singapore, The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) recently announced that major retail banks will progressively phase out the use of OTPs, within the next three months, for bank account login by customers who are digital token users.
Organizations are now looking to implement phishing-resistant MFA, including passkeys, as their latest authentication process because it thwarts phishing attacks whilst also reducing the risk of users being duped into handing over their credentials during a phishing attempt. Implementing phishing-resistant MFA tools like security keys removes the burden of security from the users and allows them to let the key decide what is legitimate or not.
To combat human-centric vulnerabilities, what key elements are important to understand when planning or implementing modern authentication strategies?
GS: You can’t create a phishing-resistant enterprise without phishing-resistant users. Providing essential education on the principles and benefits of phishing-resistant MFA for both corporate and personal use is essential. However, using technology-driven solutions that minimize the reliance on user education will help make the adoption process easier for all.
Providing all users with phishing-resistant MFA and implementing the use of portable hardware security keys as the primary authenticator is the second of three elements to include when developing modern authentication strategies.
The final step is to set up the account registration and user recovery procedures for everyone. For the highest-assurance security portable hardware security keys, such as a YubiKey, should be the foundation for securely accessing accounts.
By utilizing the highest-assurance hardware security keys as the foundation for all phishing resistant users across the entire organization, cybersecurity resilience is strengthened. It also reduces the reliance on reactive measures and protects sensitive data and operations.
What is a phishing-resistant user, and how does the strategy of developing phishing-resistant users differ from adopting phishing-resistant authentication tools?
GS: Phishing-resistant users is not just a reactive measure, but a proactive enterprise strategy aimed at removing the risk of phishing by eliminating all phishable events from the entire user lifecycle.
The primary security control for enterprises has traditionally been to prevent phishing at the time of authentication. However, as enterprises are now rolling out phishing-resistant authentication, user accounts have entered a hybrid state with both phishable and phishing-resistant credential types available.
This requires enterprises to elevate the processes for issuing credentials, registering devices, and signing into passkey providers to meet the same bar as the authentication controls that have been in place. For point-in-time authentication policies to be effective, enterprises must ensure that the users have the right type of authenticators, credentials, and processes for every stage of the account lifecycle.
Whether it is an employee or a consumer protecting their online accounts, phishing-resistant users use advanced modern technology, such as passkeys or hardware security keys to safeguard their digital lives or accounts.
Having a strategy of developing phishing-resistant users is valuable, but to truly prevent phishing attacks, organizations must do more than just invest in phishing-resistant authentication tools. Asking people to move away from legacy systems, such as passwords, can seem daunting to those who fear change but by developing the phishing-resistant user to use technology that doesn’t rely on them to be technology experts will make the adoption process easier. Hence developing phishing-resistant users ensures that the authentication tools are confidently used by all.
What does a strategy around developing phishing-resistant users look like in practice?
GS: Throughout the course of a day users can often move across platforms (i.e. Google and Microsoft), devices (smartphones and laptops) and between personal and corporate apps and services. This results in using many conventional authentication techniques that are phishable. Unfortunately, organizations tend to temporarily default to phishable user registration processes, and account recovery methods, which creates many opportunities throughout the user lifecycle for a phishing attack to take hold.
Phishable multi-factor authentication security measures such as SMS-based OTPs and push notifications) are insufficient against sophisticated phishing tactics, as is a heavy reliance on user education. Therefore, organisations must equip users with authentication methods that provide phishing resistance regardless of the business scenario, platform, or device they use.
The only effective way to eliminate phishing from a company’s threat landscape is to ensure that every user and process within the business is phishing-resistant. In practice, this means using secure authentication that seamlessly transitions with users across all devices, platforms, and services is essential in today’s fast-paced digital environment.
Phishing resistance in registration, authentication, and recovery processes is vital for cultivating phishing-resistant users, and this begins and ends with deploying high-assurance modern hardware security keys, such as YubiKeys.
What costs are involved in delivering phishing-resistant users?
GS: While there is an expense associated with phishing-resistant authentication, it is an investment in protection from inevitable cyber-attacks that will occur and the impacts they will have without the tools in place.
Cyber-attacks resulting from phishing attacks are the most common form of attacks businesses face today, and the costs of successful ones are crippling – both in lost sensitive data and downtown.
Major tech companies like Microsoft, Apple, and Google also offer alternatives, such as syncable passkeys and passwordless authentication options – but these are limited to selected applications and services, and offer lower assurance security than device-bound passkeys, such as individual YubiKeys that cost as little as US$25 each.
