The vast majority of all cyberattacks start with stolen login passwords or other credentials. In a world that is moving to the cloud, our work, personal and government communication systems have become more accessible and vulnerable for anyone on the internet. Of all the different cyberattacks, credential phishing is by far the largest problem and the key to protecting yourself against these threats is understanding what the guidance means.
At Yubico, we want to provide you with the tools you need to be protected – including sharing a guide to phishing-resistant multi-factor authentication (MFA). The security industry is infamous for its “alphabet soup” of acronyms and complex technical tools, and the world of MFA is no exception. It can be daunting to make sense of it all, but once you break down all the terms and types of MFA into common-sense categories – it’s easier to understand than you probably think.
The federal government has become increasingly vocal in urging companies to adopt a robust authentication process. From President Biden’s executive order on cybersecurity last year (and another urgent statement this year), to the Office of Management and Budget’s (OMB) plan to develop a Zero Trust Strategy for phishing-resistant MFA for public agencies, and the Cybersecurity and Infrastructure Agency (CISA) recent statement and Shields Up program, the time is now to protect against cybersecurity threats and ensure you have an understanding of all of the MFA terminology.
Below is a summary of important terms to help your organization on its way. This includes a list of key authentication terms and their definitions, as well as popular authentication and MFA tools. We’ve also outlined the pitfalls of passwords and the important steps toward a passwordless authentication future in a digestible video here.
MFA terminology: What is the definition of 2FA, MFA and phishing-resistant MFA?
- Two-factor authentication, or 2FA
- 2FA is a method to confirm a user’s claimed online identity by using a combination of two different types of factors. Sometimes you will see this called “two-step verification,” but 2FA is the acronym in use. Factors used for 2FA include something that you know (e.g. password or PIN), or something that you have (e.g. a security key or phone) or something that you are (e.g. facial recognition).
- Multi-factor authentication, or MFA
- MFA requires two or more ways to sign into an account, using multiple pieces of evidence, or factors, to login. The various types of MFA include SMS-based OTPs, mobile apps, biometrics, magnetic stripe cards, smart cards, and physical security keys.
- Phishing is when a person is tricked into sharing their personal information like usernames, passwords, and credit cards with a third-party, whose intent is to take over a user’s account. 59% of phishing attacks are financially motivated.
- Phishing-resistant MFA
- Phishing-resistant MFA refers to an authentication process that is immune to attackers intercepting or even tricking users into revealing access information. Commonly used MFA implementations featuring passwords, SMS and other One-Time Passwords (OTP), security questions, and even mobile push notifications are not phishing resistant as they are all susceptible to either or both of the aforementioned types of attacks. Furthermore, the process always requires that each party provide evidence of their validity and intention to initiate. According to a recent memo released by the United States Office of Management and Budget (page 7), phishing-resistant MFA is defined as two authentication technologies – the Federal Government’s Personal Identity Verification (PIV)/Smart Card and modern FIDO/WebAuthn.
What are the most common terms used in the world of authentication and MFA?
- Authenticator App
- An authenticator app adds a layer of security for online accounts by generating time-based one-time passcode (TOTP) on a mobile or desktop device. The TOTP approach is adopted by a large number of authenticator apps, designed to add a second-layer of security. An example includes the Yubico Authenticator, the safest authenticator app experience across mobile and desktop. Even though authenticator apps are a solid second level of security, they also can’t reach the same level of security as phishing-resistant MFA.
- Biometrics are physical or behavioral human characteristics that can be used to digitally identify a person to grant access to systems, devices or data. Examples of these biometric identifiers are fingerprints, facial patterns, voice or typing cadence. Once biometric data is obtained, like in a security key for example, a template is then saved so it can be used for the future to authenticate into a device or application. Though biometrics are considered a secure form of 2FA, they are still susceptible to cyberattacks – we’ve seen massive biometric databases stolen in recent cyberattacks like Lapsus$.
- FIDO CTAP1
- FIDO refers to the FIDO Alliance, an open industry association launched in 2013 with a mission to develop and promote authentication standards that move beyond simple passwords. Yubico is a FIDO Alliance board member, and author and developer of FIDO standards. CTAP 1 refers to the Client to Authenticator Protocol, which enables an external and portable authenticator (such as a hardware security key) to work with a client platform (e.g. a computer). U2F (see definition above) is part of FIDO’s CTAP 1 and CTAP 2 protocols.
- FIDO CTAP2
- An authenticator that uses CTAP2 is called a FIDO2 authenticator (also called a WebAuthn authenticator). If that authenticator implements CTAP1/U2F as well, it is backward compatible with U2F. A YubiKey 5 Series security key can support both CTAP 1 and CTAP 2 which means it can support both U2F and FIDO2 and deliver strong single-factor (passwordless), strong two-factor and strong multi-factor authentication.
- One-Time Password (or Passcode) is only valid for one login session or transaction. An OTP is typically sent via SMS to a mobile phone, and is frequently used as part of a 2FA process. NIST, a federal standards agency, recently called out SMS as a weak form of 2FA and encourages other approaches for modern MFA.
- Because WebAuthn/FIDO credentials can ultimately replace passwords, the industry has introduced the term “Passkeys” to easily refer to any WebAuthn/FIDO credential, no matter if they’re on a Security Key, bound to your device’s hardware, or even just stored in files on your device which are copied around by a cloud provider. These additional options will help more sites adopt WebAuthn/FIDO – benefiting everyone regardless of if they’re using copyable, multi-device Passkeys, or stronger solutions like YubiKeys, where Passkeys are bound to the YubiKey hardware. For reference, we recently detailed Passkeys and what they mean for the industry in a blog post here.
- You know what these are and it’s not an acronym… but it’s worth mentioning that what we thought about passwords 10 or 15 or even 30 years ago does not apply today. While the consensus used to be that if we just made passwords more complex or regularly rotated, they could be more secure. Today we understand that a password provides the lowest level of security and is extremely vulnerable to phishing attacks or other ways of stealing credentials.
- Passwordless refers to passwordless authentication or login which represents a massive shift in how billions of users, both business and consumer, will be able to securely log in to their critical resources and systems. The user can simply authenticate using a passwordless device, such as a FIDO2-based hardware security key, or smart card personal identity verification (PIV), to verify their credentials with the application or system.
- PIV Smart Card
- A Personal Identity Verification credential is a U.S. federal government credential used to access federally controlled facilities and information systems at the appropriate security level. You will often hear these called “smart cards” because they are physical cards that have an embedded integrated chip which acts as a security token employees use to login to workstations or other points of access. Hardware security keys can also act as a smart card with simplified deployment. CAC is another alphabet soup ingredient that refers to a Common Access Card. This is really the same concept as PIV but is used by Department of Defense employees and contractors. As mentioned, the OMB memo refers to PIV and CAC as “phishing-resistant approaches to MFA that can defend against increasingly sophisticated attacks.”
- Push Authentication
- Push authentication is a mobile authentication method, where a provider sends a user a notification to their phone. The recipient then approves or denies the request.
- Security Key
- Yubico reinvented hardware authentication with the YubiKey and Security Key form factors, which supports multiple authentication protocols and is a single purpose hardware device for authentication which is controlled by an end user. The Security Key enables FIDO authentication across platforms, browsers and applications. They are the strongest authentication for any U2F and WebAuthn/FIDO2 compatible service, and give the choice of strong single factor (passwordless), 2FA or MFA. YubiKeys support even broader authentication options, including FIDO, PIV, TOTP, OpenPGP, and more.
- Universal 2nd Factor was co-created by Yubico, Google, and NXP in 2012, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.
- This is a new W3C global standard for secure authentication on the Web supported by all leading browsers and platforms. WebAuthn makes it easy to offer users a choice of authenticators to protect their accounts, including external/portable authenticators such as hardware security keys, and built-in platform authenticators, such as biometric sensors.
What are the best authentication options?
In previous paragraphs above, we mentioned several 2FA and MFA methods. Unfortunately, they aren’t all created equal. Most basic authentication methods are insecure – SMS, one-time passwords, and even mobile push authenticators are susceptible to account takeovers from phishing, social engineering, and person-in-the-middle attacks.
Take action today: Implement modern phishing-resistant MFA
While of course any form of authentication or MFA is better than none, the clear winner when it comes to protecting your digital life is deploying phishing-resistant MFA – specifically PIV/smart card and WebAuthn/FIDO, both of which are supported in the YubiKey.
Want an app or service that you’re using to increase your options for MFA? Tell them!
To learn more about other security terms that may be puzzling, visit Yubico’s Cybersecurity Glossary. Additionally, you can register to attend our upcoming webinars on May 5, and May 24, where we will dive even deeper into defining phishing-resistant MFA.