Phishing-resistant multi-factor authentication (MFA)
Authenticate in seconds from anywhere, anytime, on any device.
Not all MFA is created equal
While MFA can be a strong first-line of defense, not all forms of multi-factor authentication (MFA) are created equal. Legacy authentication such as usernames and passwords can be easily hacked, and mobile-based authentication such as SMS, OTP codes, and push notifications are highly susceptible to modern phishing attacks, malware, SIM swaps, and man-in-the-middle (MiTM) attacks.
Additionally, there are almost always edge cases of employees that can’t, don’t, or won’t use mobile authentication. Not only can there be low cell coverage in certain geographic areas, employees also may not want to use personal devices for work, or don’t want to allow admin access to their devices. There may also be union restrictions or compliance requirements, and some employees may not be able to even use a smartphone. If the fall back option is usernames and passwords, this makes the organization even more vulnerable to phishing and account takeovers.
What is phishing-resistant MFA?
Phishing-resistant MFA processes rely on cryptographic verification between devices or between the device and a domain, making them immune to attempts to compromise or subvert the authentication process. According to the NIST Special Publication (SP) 800-63 and Draft 800-63-4, two forms of authentication currently meet the mark for phishing-resistant MFA: PIV/Smart Card and the modern FIDO2/WebAuthn authentication standard.
Not all MFA is created equal
Any MFA is better than just a password, but not all MFA is created equal. Download the free Ebook to learn how easy it is for mobile-based MFA to be hacked!
YubiKey offers phishing-resistant MFA
Yubico offers the phishing-resistant YubiKey for modern, multi-factor and passwordless authentication. YubiKeys support multiple protocols including Smart Card and FIDO, offering true phishing-resistant MFA at scale, helping organizations bridge from legacy to modern authentication.
YubiKeys are also simple to deploy and use—users can authenticate with a single tap or touch of the YubiKey. YubiKeys also don’t require batteries, have no breakable screens, don’t need a cellular connection, and are water-resistant and crush-resistant. With the YubiKey, organizations of all sizes can protect employees against modern cyber threats while driving high productivity, offering ease of use, and minimizing costs related to help desk password resets.
What makes the YubiKey phishing resistant?
Hardware-backed public key cryptography
YubiKeys use secure public key cryptographic technology to generate unique public and private key pairs for each service. The private keys are stored securely on the YubiKey, making them hardware-bound and non-copyable, unlike legacy MFA.
Proof of user presence
Logging into a service with a YubiKey requires the user to touch or tap the key to authenticate. The touch sensor on the YubiKey verifies that the user is a real human and that the authentication is done with real intent. This prevents remote attacks that can easily bypass software-based MFA.
Once you register your YubiKey to a service, it is bound to that specific URL, and the registered credential cannot be used to log in to a fake website. This means that even if a user is tricked into clicking a link that takes them to a fake website, the YubiKey is never fooled, so the phishing attempt is thwarted!
No shared secrets across apps
YubiKeys authenticate through the FIDO open standard, enabling access to thousands of applications and services, providing high security and privacy at scale, across both work and personal lives. A single key can be used to authenticate across any number of applications and services with no shared secrets, ensuring complete protection.
The dark side of mobile authentication
Learn the five key misconceptions related to mobile-based MFA that are a ticking time bomb, and are putting your organization at risk of being hacked.
Risk reduction, business growth, and efficiency enabled by YubiKeys
A recent Forrester Consulting Total Economic Impact™ (TEI) study commissioned by Yubico found that a composite organization representative of interviewed customers who use YubiKeys reduced risk of successful phishing and credential theft attacks by 99.9%, saw a drop in password-related helpdesk tickets by 75%, and experienced a 203% 3-year ROI with YubiKeys.
BUT…. all organizations are different. Enter your own company data to create a custom Dynamic TEI study and instantly see how Yubico’s solutions can help your organization!