Phishing Resistant Authentication

This article was created by generative AI and some human love based on the transcript of video https://youtu.be/Rzt30uytQs4.

I want to quickly go over what phishing-resistant authentication is. You hear about it a lot, so I thought it made sense to explain what it is and why it's required.

Most of us know that passwords are considered bad because they're a network secret. They work on any device that uses the same identity provider for which that account exists. For example, I, as a user, have my unique password. I have my machine or machines, and on those, I can type in my username and password to get authenticated, which is fantastic. However, it's just a word or a phrase—a sequence of characters.

Imagine there are lots of other machines that use the same identity provider. They could be in my company, scattered around, or some cloud service. It might be that I'm using a VPN. If a bad actor finds out my password, or even if they don't know it but want to guess, they might try a list of common passwords on all these systems.

Now, imagine me as a user. Hopefully, I use unique passwords for every service, but you probably don't. So, there's another company, maybe a SaaS solution you leverage, and you have a different account there. Because your memory isn't great, you use the same password. If this service gets hacked and they get a list of passwords, they can try to use that leaked password. Maybe they bought it on the dark web. Since there's no direct correlation between me and the machine I use this network secret on, they can try to hack these machines. That's a bad thing.

This is where multi-factor authentication (MFA) comes in. The goal of MFA, as the name suggests, is to use multiple types of authentication. When I think of MFA, I'm thinking of at least two factors: something I know (like a PIN or password), something I have (like a phone, token, smart card, or PC with a TPM), or something I am (like biometrics—facial scan or fingerprint). With MFA, I want at least two of these to authenticate. If just my password is leaked, that's not enough. We might enter our password and then get a text message with a code to complete the authentication. Maybe we use a physical token or an app on our phone.

There are many types of MFA. For example, in Entra, there are different authentication strengths. We have MFA with seventeen options out of the box, including Hello for Business, passkey, certificate-based authentication, Microsoft Authentication, temporary access passes, password plus SMS, and password plus voice.

Realize that SMS is better than just a password, but it can be prone to SIM attacks or SIM swapping. Text messages might show up on other devices, so your kid at school might see your codes. We try to get stronger authentication, but some of the previous methods I described are prone to users being tricked.

Consider the sequence of actions with the methods where a user enters some received code. They're prone to phishing. Imagine a bad actor trying to authenticate and getting a challenge. They use social engineering, calling the user: "Hey, I'm from your IT help desk. We've seen malicious use of your account." They introduce panic, and the user, wanting to comply, gives the code. The bad actor logs in as the user. The user was phished.

The problem was the human in the middle. There was no direct communication between the devices performing the validation and the machine being authenticated. Phishing-resistant authentication introduces a proximity requirement between the device and the object performing strong authentication. It removes the user from the communication flow.

For example, your phone might need to establish a Bluetooth connection to the device, or use near-field communication (NFC). It could be a USB dongle or a smart card. The TPM is in the PC. This proximity element means you can't authenticate something remote without that proximity. The bad actor is far away, so they can't be within Bluetooth range or insert a dongle.

Phishing-resistant MFA includes Hello for Business (a TPM in the machine), passkeys (a FIDO2 USB key or phone with Bluetooth connection), or certificate-based smart cards. All require proximity.

This is phishing-resistant authentication. It's not bulletproof. There are still other attack vectors. Users can still be tricked into installing bad software or clicking bad links. We add layers of protection, monitoring software installations, checking if a device is jailbroken, and verifying links and QR codes.

This is the big deal with phishing-resistant authentication: adding the requirement of proximity so users can't be tricked into authenticating a remote bad actor.

I hope that was useful. Until the next article, take care! ??