<img alt="" src="https://secure.hook6vein.com/218483.png" style="display:none;">

BIO-key Blog

Read below for news, insights, and discussion on identity and access management.

Ask Christopher: Mitigating the Risk of Phishing Attacks with MFA

by Christopher Perry

Hackers are a blight on the digital scenery where we all spend most of our time, and phishing attacks are one of the oldest tricks in the book. Whether it’s at work or home, modern technology has made the digital world all but necessary. In this environment, hackers and malicious users are the banes of each admin and end-user attempting to get things done. Amid the recent pandemic, the leaches and roaches have crawled out of the woodwork while we are all forced online. Targeted attacks have increased, and the old reliable schemes have seen new play.

It comes as no surprise that many admins have started asking a well-worn question about preventing these simple, yet startlingly effective attacks from impacting as much as they do.

The Question:

“How do you stop users from falling for phishing scams?”

The Answer:

You don’t. Instead, focus primarily on mitigating the issue and combatting the overall threat.

Rewriting Human Behavior – A Futile Effort in Tech

I called hackers a blight on our digital society for one simple reason: that is the truth. These attackers prey on everything from fears to ignorance to take whatever is available despite the cost. For those caught in the middle – the end-users – this leads to breaches, which then lead to a host of other problems. Often, these attacks lead to a significant loss of income for the organization, and the end-user at fault.

If hackers are a blight, phishing attacks are a cancer designed exclusively to interrupt the system and break down other functions. The problem with most cancers is the same with phishing: both are almost impossible to destroy completely.

Phishing preys on human behaviors and instincts in tech as well as user ignorance. Individually, these items can be addressed with vigorous education, but that is a constant battle against a sleepless, unyielding foe. Users have shown time and time again that when push comes to shove, expediency often wins out. To the detriment of all, therein lies the problem.

Why Don’t I Just Push My Users Harder?

Some will swear by user education – and that is not a bad idea! User education is vastly important in all realms of the digital sphere. However, phishing attacks are constantly evolving and fighting back, manipulating base human behavior for results. The most aggressive end-user education won’t change human behavior on a larger scale, but that doesn’t mean administrators cannot account for that potential pitfall.

Combat Phishing with Multifactor

The days have long since passed where Multifactor Authentication (MFA) has been considered a significant roadblock to usability and success. With the current state of the world, security is a high priority, and even standard end-users see MFA as a given in most digital transactions.

MFA combats phishing attacks by reducing the overall risk. MFA does not prevent users from click on the links or accidentally revealing too much information on social media, but it does prevent attackers from being able to make significant use of that information. With MFA in place, a compromised password or answers to security questions will not lead to a data breach because that is simply not enough information to access an account.

MFA options have made leaps and bounds towards general accessibility and availability in the last few years. Today, the proper solution provides multiple methods for users and administrators to choose from – allowing another layer of convenience without sacrificing usability.

Additional Considerations

Multifactor authentication is not a magical panacea that will simply resolve the blight and erase the cancer that plagues the system. Instead, it acts as a booster to help the system fight back without fatiguing the individual members or gumming up the works.

To keep such a venture functioning smoothly, administrators must consider additional functionality to balance usability and security. Common practices include:

  • Ensuring 24/7 Is available to End-Users.
  • Provide an MFA Method Free of Charge.
  • Enable alternate MFA Options.
  • Encourage and Respond to User Feedback.

Focus on User Experience and Education

End-user education is a crucial component to the success of any MFA deployment – targeting phishing schemes or otherwise. Instead of attempting to learn every new trick coming from the hacker’s playbook, however, this education focuses on enabling and utilizing secure access without impacting convenience.

In many cases, MFA is a standard practice – often expected – that does not garner as much ill will as many admins fear. As an added benefit, phishing attacks and other malicious behavior are prevented from gaining any foothold in a given organization. Administrators can focus on what needs doing, and spend less time tracking down breached accounts or potentially risky behavior.

The State of Multi-Factor Authentication: Survey highlights key trends & challenges eBook

Check out the results from this in-depth MFA survey that had the goal of determining how organizations manage security, authentication, and related issues; and to determine decision makers’ attitudes toward various authentication methods including Zero Trust, passwordless approaches, and biometrics.

Download the eBook

Christopher Perry

Author: Christopher Perry

Subscribe to the BIO-key blog!

Recent Posts