Resolve to be cyber resilient: Moving on from legacy MFA in energy and natural resources

Every November, Critical Infrastructure Security and Resilience (CISR) Month focuses on educating the vital role critical infrastructure plays in the nation’s well being. Led by Cybersecurity and Infrastructure Security Agency (CISA), the conversation centers around why it’s important to strengthen critical infrastructure security and resilience. 

One of the critical infrastructures, energy and natural resources, is currently ranked fourth on a list of industries experiencing the most cyber attacks globally and is ranked first among US industries. With the threat continuing to increase, the time is now to rethink the relationship to cybersecurity and the tools that are used to stay secure. In response, energy and natural resource organizations are looking to reimagine multi-factor authentication (MFA) with a form factor that supports both personal identity verification (PIV) and modern FIDO2 authentication standards.

The challenges with legacy MFA

With over 70% of data breaches caused by stolen credentials such as passwords, it’s critical that organizations in the industry adopt modern phishing-resistant MFA to secure critical IT and OT environments, while ensuring compliance to new and evolving regulations. Implementing MFA can be a strong first-line of defense to protect against modern cyber threats – but it’s important to understand that not all forms of MFA are equal. 

Legacy authentication such as SMS, one-time passcodes (OTP), and push notifications are highly susceptible to modern phishing attacks, malware, SIM swaps, and man-in-the-middle attacks (MiTM). In addition to poor security, legacy MFA provides poor user experiences, low portability, and lack of scalability which can result in MFA gaps, low user adoption, and an increased risk of a breach.

In today’s tech-driven energy sector, tools and data are as widely distributed as the energy sources. Faced with these risks and challenges, many energy companies and the industry alike are seeking out ways to be secure against malicious actors. Many operators have already switched to phishing-resistant MFA, and more will follow as the energy sector continues to adapt to evolving cyber threats.

Strengthening phishing-resistant MFA strategy

Given the rise and sophistication of cyber attacks, there is a need for phishing-resistant MFA which involves PIV/Smart Card, modern FIDO2 or WebAuthn passkey authentication. The good news is that the energy sector is already ahead of the game due to Smart Card adoption.

Smart Cards have been one of the most trusted and proven implementations of MFA for over 20 years, and often relied upon as the standard for authentication by energy companies. PIV Smart Cards qualify as phishing-resistant MFA because even if someone manages to steal credentials, they would still need the card to access something. Today, Smart Cards come in many form factors, from a credit card size that fits in your wallet to a hardware security key that fits on your keychain. 

There’s only one challenge: the typical credit card-shaped Smart Card hasn’t historically worked well on mobile devices without additional hardware and software.

PIV-enabled YubiKeys are the answer

Moving forward, the energy sector needs an authentication solution that provides the highest protection against phishing and unauthorized account access combining FIDO and PIV to provide full phishing-resistant coverage. With the portability and multi-protocol support offered by Yubico’s YubiKeys, it’s now possible to use any PIV-enabled YubiKey on any supported mobile device as a certificate-based Smart Card.

As a form of phishing-resistant MFA, YubiKeys are compatible with a wide range of devices and  your favorite products, services, and business-critical applications. Providing a scalable way to handle secure authentication and a streamlined way to access accounts, YubiKeys strike an elusive balance between security and productivity.

YubiKeys support FIDO2 authentication – which is quickly becoming the standard after Google, Microsoft, Apple, and CISA have given enthusiastic support – and PIV authentication protocols at the same time. As a creator and core contributor to the FIDO2, WebAuthn, and FIDO Universal 2nd Factor (U2F) open authentication standards, Yubico is excited about continuing to pioneer phishing-resistant hardware authentication throughout the energy industry.

Take a deep dive into why YubiKeys are the ideal solution for the energy and natural resources sectors and learn what it takes to get started – including a step-by-step process to ensure a seamless adoption – in our new guide here.

Talk to our teamTalk to our team

Share this article:


  • Securing the skies with YubiKeys: Insights on cyber resilience in the aviation industry and beyondIn an increasingly interconnected world, the landscape of cybersecurity is constantly evolving. Bad actors are becoming more sophisticated, leveraging tactics like phishing and ransomware to exploit human error and weak credentials. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises – especially those in high-stakes sectors like commercial […]Read morecyber resilienceEUmanufacturingQ&A
  • Future-proofing authentication: A look at the future of post-quantum cryptographyThe path from passwords to passkeys and beyond In a previous blog I talked about the end of passwords and the rise of passkeys, which promise stronger security and less frustration for both individuals and businesses. The global momentum behind passkeys represents one of the most exciting shifts in authentication history, but realizing their full […]Read more
  • Goodbye master passwords: Dashlane and Yubico enhance credential vault encryption and login with YubiKeysAt Authenticate 2025 this week, the world’s leading experts on modern authentication and securing digital identities gathered, to discuss the future of secure authentication and achieving usable security across the account lifecycle. The message was clear: the future of phishing-resistant authentication is using passkeys for encryption, and the gold standard is device-bound passkeys – YubiKeys. […]Read morecredential vault encryptioncredential vault loginDashlanepartnerpasskey encryptionPRF
  • Piloting Europe’s future ID: Passkeys securing digital walletsOver the last several years, passkeys have become ubiquitous. They are available on every mobile platform, in every leading browser, as part of all major enterprise IAM solutions, and in most major cloud services. Until wwWallet came along, the only place where passkeys hadn’t yet made an impact is in the rapidly developing world of […]Read moredigital identity walletspasskeysSIROSwwWallet