Resolve to be cyber resilient: Moving on from legacy MFA in energy and natural resources

Every November, Critical Infrastructure Security and Resilience (CISR) Month focuses on educating the vital role critical infrastructure plays in the nation’s well being. Led by Cybersecurity and Infrastructure Security Agency (CISA), the conversation centers around why it’s important to strengthen critical infrastructure security and resilience. 

One of the critical infrastructures, energy and natural resources, is currently ranked fourth on a list of industries experiencing the most cyber attacks globally and is ranked first among US industries. With the threat continuing to increase, the time is now to rethink the relationship to cybersecurity and the tools that are used to stay secure. In response, energy and natural resource organizations are looking to reimagine multi-factor authentication (MFA) with a form factor that supports both personal identity verification (PIV) and modern FIDO2 authentication standards.

The challenges with legacy MFA

With over 70% of data breaches caused by stolen credentials such as passwords, it’s critical that organizations in the industry adopt modern phishing-resistant MFA to secure critical IT and OT environments, while ensuring compliance to new and evolving regulations. Implementing MFA can be a strong first-line of defense to protect against modern cyber threats – but it’s important to understand that not all forms of MFA are equal. 

Legacy authentication such as SMS, one-time passcodes (OTP), and push notifications are highly susceptible to modern phishing attacks, malware, SIM swaps, and man-in-the-middle attacks (MiTM). In addition to poor security, legacy MFA provides poor user experiences, low portability, and lack of scalability which can result in MFA gaps, low user adoption, and an increased risk of a breach.

In today’s tech-driven energy sector, tools and data are as widely distributed as the energy sources. Faced with these risks and challenges, many energy companies and the industry alike are seeking out ways to be secure against malicious actors. Many operators have already switched to phishing-resistant MFA, and more will follow as the energy sector continues to adapt to evolving cyber threats.

Strengthening phishing-resistant MFA strategy

Given the rise and sophistication of cyber attacks, there is a need for phishing-resistant MFA which involves PIV/Smart Card, modern FIDO2 or WebAuthn passkey authentication. The good news is that the energy sector is already ahead of the game due to Smart Card adoption.

Smart Cards have been one of the most trusted and proven implementations of MFA for over 20 years, and often relied upon as the standard for authentication by energy companies. PIV Smart Cards qualify as phishing-resistant MFA because even if someone manages to steal credentials, they would still need the card to access something. Today, Smart Cards come in many form factors, from a credit card size that fits in your wallet to a hardware security key that fits on your keychain. 

There’s only one challenge: the typical credit card-shaped Smart Card hasn’t historically worked well on mobile devices without additional hardware and software.

PIV-enabled YubiKeys are the answer

Moving forward, the energy sector needs an authentication solution that provides the highest protection against phishing and unauthorized account access combining FIDO and PIV to provide full phishing-resistant coverage. With the portability and multi-protocol support offered by Yubico’s YubiKeys, it’s now possible to use any PIV-enabled YubiKey on any supported mobile device as a certificate-based Smart Card.

As a form of phishing-resistant MFA, YubiKeys are compatible with a wide range of devices and  your favorite products, services, and business-critical applications. Providing a scalable way to handle secure authentication and a streamlined way to access accounts, YubiKeys strike an elusive balance between security and productivity.

YubiKeys support FIDO2 authentication – which is quickly becoming the standard after Google, Microsoft, Apple, and CISA have given enthusiastic support – and PIV authentication protocols at the same time. As a creator and core contributor to the FIDO2, WebAuthn, and FIDO Universal 2nd Factor (U2F) open authentication standards, Yubico is excited about continuing to pioneer phishing-resistant hardware authentication throughout the energy industry.

Take a deep dive into why YubiKeys are the ideal solution for the energy and natural resources sectors and learn what it takes to get started – including a step-by-step process to ensure a seamless adoption – in our new guide here.

Talk to our teamTalk to our team

Share this article:


  • FIPS certified vs. FIPS compliant: What’s the real difference?“Is your MFA solution FIPS compliant, or is it certified?”  This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements […]Read moreFIPSNIST
  • 2025 Global State of Authentication survey: A world of difference in cybersecurity habitsIn a world that’s more connected than ever, the landscape of cybersecurity threats is constantly evolving. Bad actors, now supercharged with artificial intelligence (AI), are becoming increasingly adept at exploiting human error through sophisticated phishing and social engineering attacks. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises. […]Read moreGlobal State of Authenticationsurvey
  • Making digital security a right: Inside Yubico’s Secure it Forward programTechnology can be a great equalizer — but only if the strongest protection is within reach. Since 2022, Yubico has donated more than 65,000 YubiKeys to hundreds of organizations worldwide — a retail value of over $3.3 million. Each key helps strengthen digital protection for those doing vital work in their communities. This isn’t just […]Read more
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreYubiKey