Services Overview

Explore Our Security Expertise

Endpoint Security

Securing Every Endpoint

Cloud Security

Securing AWS, GCP, Azure

Network Security

Protecting Network Infrastructure

Penetration Testing

Securing Web Applications & Infrastructure

Identity Access Mgt (IAM)

Deploying Access Controls

Product Security

Securing Product Ecosystems

Fraud Prevention

Safeguarding Against Fraud

Email Security

Email Threat Mitigation

Threat Detection

Threat Identification & Remediation

Security Operations

Continuous Security Monitoring

Compliance

TPN, PCI DSS, ISO, SOX & SOC 2

Artificial Intelligence (AI) Security

Securing AI implementations

Individual

Individual Security Starter Package

Entry-level Security Packages

Individual Security VIP Package

Premium Security Packages

Business

Business Security Starter Package

Entry-level Security for Businesses

Business Security Advanced Package

Advanced Protection for Businesses

Business Attack Surface Analysis Package

Cloud, Pentest, and Code Review

Packages Compared

ZeroVuln Package Comparison

Compare all ZeroVuln Packages

Why ZeroVuln?

Our Commitments

Blog

Original Security Insights

Newsletters

Security News & Tips

About

Our Team & Values

Careers

Open Positions

Book Appointment Now

RIP Passwords

Let's Standardize on Phishing-Resistant MFA

Mark VlcekPosted: April 29, 2024

At ZeroVuln, we believe passwords are finally moving closer to becoming obsolete, and for good reason. Relying solely on passwords for user authentication is proving to be ineffective in providing even basic security or a dependable means of verifying someone's true identity. With the rise of data breaches and phishing scams, password-based authentication is no longer sufficient to protect user accounts and sensitive data. In this blog post, we'll explain why passwords are losing their relevance and highlight the significance of embracing more advanced, contemporary authentication methods.

Single-Factor Authentication is Inadequate

Passwords as a single factor of authentication are simply not sufficient in protecting sensitive information. They can be easily compromised through various means such as brute-force attacks, keyloggers, phishing, or social engineering. Furthermore, users tend to reuse passwords across multiple accounts, creating a domino effect wherein a single breach can lead to multiple compromised accounts. Tack on the fact that many people reuse passwords so frequently and across so many different websites, that it becomes nearly impossible for them to recall where all the may have reused their password making it a herculean task to reset passwords across all possibly affected sites before it’s too late.

The Rise of FIDO2

To address these security concerns, FIDO2  (Fast IDentity Online 2) has emerged as a worthy successor. FIDO2 is an open standard that aims to replace passwords with more secure forms of authentication. By leveraging public-key cryptography, FIDO2 provides strong phishing-resistant multi-factor authentication (MFA) options that help ensure the identity of users. It even offers a method of replacing passwords entirely (passwordless authentication)!

This passwordless experience, available as an option today, presents a reality wherein users can authenticate themselves using biometrics, such as fingerprints or facial recognition, via a device that has built-in fingerprint or facial recognition (often referred to as an “on-device” or “platform” authenticator) or by using external security keys, such as YubiKeys. Both of these potential forms of authentication are called FIDO credentials. With FIDO credentials there’s no need for a password, which is often easily stolen or guessed, leaving users with one less thing to remember or worry about while simultaneously granting them and websites a much stronger assurance that only the true user is accessing their data.

Yet another example of a FIDO credential is a passkey. Passkeys are a modern authentication method that similarly rely on public key cryptography in addition to biometrics or PIN codes to authenticate users in a phishing-resistant manner. From a user experience (UX) perspective, passkeys tend to be the most favorable of the three different types of FIDO credentials because of their ease of use. Passkeys have the ability to be portable between devices, such as a computer, a smartphone, and a tablet, and can be synced across the cloud which is how Apple and Google manage passkeys for users on more modern devices by default. The FIDO Alliance has a great FAQ on passkeys here.

One last great thing to mention about FIDO credentials, and one of the things that makes them so resistant to phishing, is the fact that when used with the Web Authentication (WebAuthn) protocol, instead of sharing an actual credential with websites, a signed challenge and a public key are sent instead. Essentially a cryptographic challenge is signed using the private key generated as part of the FIDO credential, then that signed challenge and the public key portion of the FIDO credential are sent off to the website while the private key remains safe on device. Even if the website or company hosting it were to be compromised, no usable credential is ever stored on their systems with FIDO credentials.

The Importance of Phishing-Resistant MFA Factors

Phishing attacks remain a significant threat to user security as detailed in our previous blogs. These attacks trick users into disclosing their credentials or personal information by mimicking legitimate websites or services and often linking to them in convincing, fake emails and text messages. To combat this, it is crucial to adopt MFA factors that are resistant to phishing attempts.

For instance, let's consider a scenario where a user has set up MFA on their banking website or mobile app and chosen SMS, or text message, as their MFA method. Upon signing into their bank account with their username and password, the user receives an SMS message with a one-time passcode (OTP) from their bank. They, or somebody, has to now enter that code onto the banking website or app to get in.

While this may seem secure on its face, there are several ways this can go bad quickly. One increasingly common way is a SIM swap scam. In this type of scam, an attacker transfers control of a user’s phone number to a phone they control instead of the user’s actual phone. After this has been done, an attacker with a user’s password can successfully sign in to any accounts the user has reused their password on, even if it has MFA set up using SMS.

This type of attack happens more often than you might think. Brian Krebs, a journalist and investigative reporter who focuses on cybersecurity and cyber crime, has already reported on multiple SIM swapping attacks in 2024, and reported in early 2023 that hackers claimed to have breached T-Mobile over 100 times the previous year alone and used their newfound access to perform SIM swaps for any paying customer.

Another much simpler scenario is one whereby an attacker duplicates a common online sign in page then convinces a user to browse to it and enter their credentials. Attackers may send thousands of phishing emails to potential victims with links to the fake sign in page, claiming that users must reset their password or take action immediately to avoid something undesirable from happening. Users then click the link and enter their credentials. At this point the attacker has their credentials and can immediately sign into the real sign in page using the valid credentials at which point the actual user will receive their MFA code via text message (or sometimes email). The fake website may then prompt the user to enter their MFA code at which point the user, unaware of the fact that they’re not on the real page, enters their MFA code which is again sent directly to the attacker who is now happily accessing the user’s account.

Now, imagine the same scenario, but instead of an SMS OTP, the user is utilizing a passkey as their MFA factor. In this case, even if the user falls victim to the phishing attack and enters their credentials on the fake portal, the attacker would not be able to trick the user into entering a OTP code or click a “magic link” to complete the sign in, nor would the fake sign in page ever be able to prompt the user to provide their passkey due to the protocols that passkeys are built upon only allowing their use on the websites the passkeys were first created for.

Conclusion
Passwords as well as traditional forms of MFA, such as OTPs sent over SMS or email and push notifications, are no longer adequate. Cisco, Microsoft, and Uber all experienced breaches due to their use of these authentication and MFA approaches.

It is evident that passwords are no longer sufficient for ensuring secure user authentication. The rise of FIDO2 and the importance of phishing-resistant MFA factors highlight the need to adopt more advanced and modern methods of proving identity. By embracing these technologies and moving away from outdated password-based authentication, we can enhance the security of user accounts and protect sensitive information in an increasingly interconnected world.

Note:While it is essential to discuss the shortcomings of passwords, we also emphasize the need for strong password practices when they are still in use, as they remain a common method of authentication for many users.

Fortunately, ZeroVuln’s security team has years of experience deploying phishing-resistant access controls.

To learn how we can help you or your business migrate from using risky, single-factor passwords and traditional MFA methods to phishing-resistant, modern authentication and MFA methods, contact ZeroVuln at https://www.zerovuln.ai/company/contact or schedule a meeting at https://www.zerovuln.ai/company/schedule-now.

Book an Appointment with ZeroVuln

Love what we do? Want to learn more? Come chat with us!

Book Appointment

ZeroVuln © 2025. All Rights Reserved.

Terms of Use
Privacy Policy