Multifactor authentication (MFA) has become an essential tool for reducing the threat of account compromise due to credential theft, session hijacking and brute-force attacks. It helps overcome the risks of weak passwords by requiring two more authentication factors before giving a user access to applications and data.
Traditional MFA typically uses push notifications or one-time passwords as a second authentication method. Because human interaction is required, these methods are vulnerable to phishing, man-in-the-middle attacks and credential stuffing. Attackers also bombard users with push notifications in a technique known as “push-bombing” until the user finally relents and approves the authentication request.
How Does Phishing-Resistant MFA Work?
These risks can be greatly reduced by removing the user from the equation and establishing a unique, trusted connection between the user’s device and an application or service. Phishing-resistant MFA does this using cryptographic methods and hardware-based security tokens. There are several ways to accomplish it, but FIDO2 is the most common.
Users who need access to an online service that leverages FIDO2 will go through a registration process. The user’s device generates a cryptographic key pair, retains the private key and registers the public key with the online service. To use the private key for authentication, the user unlocks it on the local device by entering a PIN, using a fingerprint reader or through some other simple method. Once the private key is unlocked, authentication proceeds automatically.
When the user wants to log into the service, a challenge is sent to the user’s device. The user unlocks the private key associated with that service, which is compared to the registered public key sent with the challenge. The private key and any information about the user’s authentication method remain on the user’s device instead of an external cloud server.
What Are the Benefits of Phishing-Resistant MFA?
Phishing-resistant MFA doesn’t rely on shared secrets that can be intercepted and removes the user’s direct control. It uses cryptographic keys and biometrics that attackers can’t easily steal or replicate, thwarting phishing attempts that rely on tricking users into revealing credentials. The cryptographic keys are scoped to a specific domain, preventing them from being used on fake or decoy websites.
While many MFA solutions are proprietary, the FIDO Alliance has developed a standardized authentication protocol. The specifications are compatible with a variety of authentication solutions and support a wide range of biometric devices and applications. FIDO2 can use hardware-based tokens, but it can also use the built-in biometrics on the user’s device. That makes it simpler for the user and eliminates the need to distribute and manage tokens.
How Cisco Duo Enhances Login Security
Cisco Duo uses the FIDO2 standard to provide phishing-resistant MFA. It can also require that the user’s mobile device be in physical proximity to their PC or laptop, preventing remote attackers from impersonating the user.
Today’s remote and mobile workers often access network resources using their personal devices, and network administrators typically have limited visibility into the security posture of those devices. Duo provides detailed information about every device on the network, whether they are corporate- or user-owned. It also collects information about users’ devices as they authenticate, automatically flagging any devices that are out of date, jailbroken or otherwise out of compliance with security policies.
Duo can also be used to establish a zero-trust access model that limits data and application access to only those users who require it. A zero-trust model assumes that everyone and everything accessing network resources is a threat until their identity has been verified and validated.
IT teams can set up and manage detailed access policies in minutes through an intuitive administrator dashboard. Policies can be customized for different users, devices, locations and other contextual factors.
How Cerium Can Help
Cerium is a longtime Cisco partner with the expertise to help you take advantage of Cisco Duo. Our team can design the solution and implement Duo according to your business and security requirements. You gain phishing-resistant MFA while ensuring a streamlined user experience.
