Phishing Resistance and Why it Matters

Brett Winterford

In the wake of recent security events at Uber and Twilio, organizations are understandably interested in pivoting to authenticators that offer the most resistance to phishing attacks. So what is phishing resistance, and why does it matter?

Credential theft remains the primary means by which attackers gain unauthorized access to systems. In 2021, over 80 percent of successful attacks on web applications stemmed from credential-based attacks such as phishing, credential stuffing and password sprays. According to the not-for-profit Anti-Phishing Working Group, the first quarter of 2022 saw the highest rate of phishing attacks on record (pdf), with financial services and cloud service providers being targeted the most often.

Multi-factor authentication (MFA) remains the most effective form of protection against all forms of credential theft. MFA limits what an adversary can do with a stolen password, and creates numerous detection opportunities when an adversary attempts to bypass it.

By definition, MFA should include authenticators with more than two of the following properties:

  • something you know (a knowledge factor)
  • something you have (a possession factor)
  • something you are (an inherence factor)

There are numerous authenticators an Okta administrator can choose from to satisfy those properties in access policies. A spate of successful social engineering attacks has renewed interest in the degree to which any given authenticator is “phishing resistant”. But what exactly is phishing resistance?

Measuring resistance

Phishing resistance can be viewed in relative or absolute terms. All authenticators offer varying degrees of resistance to social engineering, as all authenticators impose costs and risks on adversaries seeking to take over an account. For example, Push authenticators offer greater resistance to static credential phishing campaigns than authenticators that rely on One Time Passwords (OTP).

Combining Push with Number Challenge, which asks the user verifying a push request to identify a number presented on the sign-in page, offers resistance to a broader set of adversary techniques including “MFA Fatigue” attacks.

But usually when somebody says “phishing resistant”, they are defining it in absolute terms and referring to authenticators that can withstand real-time, AiTM phishing attacks. This narrows the number of authentication choices significantly.

The most reliable definition for phishing resistance is maintained by the US National Institute of Standards and Technology (NIST). According to NIST, phishing resistance requires that the channel being authenticated is cryptographically bound to the output of the authenticator. In more simple terms, this means that the domain (address) of the website you are signing in to is tied to your authenticator, to ensure it won't issue your credentials to a fake phishing web page.

Several authenticators available in Okta’s platform meet this definition. Okta supports roaming FIDO2 WebAuthn authenticators (security keys) and device-bound FIDO2 WebAuthn authenticators (e.g. FaceID, TouchID, Windows Hello) and also supports the use of PIV smart cards as an “external IdP”. Depending on your deployment model, FastPass (Okta’s device-bound passwordless authenticator) also meets this definition.

But given the rate of change in operating systems, browsers and apps (not to mention the constant evolution of adversary tradecraft), it shouldn’t be left to administrators to work out what authentication flows are more or less resistant to phishing. That’s why Okta Identity Engine provides administrators the ability to create application assurance policies that can enforce phishing resistance.

In the policy above, for example, access to a particular set of applications is only allowed from a managed device using at least one authenticator that meets the NIST definition for phishing resistance. Over 1.5m Okta users have enrolled in phishing resistant authenticators like WebAuthN today. Early adopters like Figma have rolled out phishing resistant authenticators across their workforce.

Defense in depth

Irrespective of your authenticator, your access policies should assume there will be scenarios in which a phishing resistant authenticator isn’t available for a given application or for a given user. That’s why we recommend a defense-in-depth approach to phishing prevention, including:

  • Security awareness programs that teach users how to: Identify the emotive cues social engineers use to pressure users into acting abruptly; Identify suspicious variations on domains used in phishing websites; Report suspicious messages, websites or access requests to security teams.
  • Email and web filtering technologies that can identify and prevent employees from clicking on phishing emails or connecting to phishing websites.
  • Endpoint security software to protect against malware infection and identify browser-based attacks in which malware is hosted on phishing websites.
  • Authentication policies that limit access to trusted networks and trusted devices, with maximum and idle session durations based on the criticality of the application. NIST’s Authenticator Assurance Levels are a good guide:

    • AAL1 applications 30 days maximum
    • AAL2 applications: 12 hours maximum AND 30 minutes idle
    • AAL3 applications: 12 hours maximum AND 15 minutes idle
  • Detection and response programs that proactively identify phishing websites, identify anomalous login activities and provide an ability to respond to phishing campaigns in-flight.

We will provide more details on how Okta features can be incorporated into your security awareness and detection and response programs in later blog posts in this series.

Brett Winterford
Senior Director, Cybersecurity Strategy

Brett Winterford is the Senior Director of Cybersecurity Strategy at Okta. He advises policy makers, business leaders and fellow security professionals on evolving threats and opportunities to improve their security posture.Prior to Okta, Brett held a senior leadership role at Symantec, and helmed security management, research and education at Commonwealth Bank.He’s best known for his work as a security journalist. In 2020, he was the founding editor of the Srsly Risky Biz newsletter, a companion to the Risky Business podcast, providing the cybersecurity, policy, defense and intelligence communities with a weekly brief of the news that shapes cyber policy.

Prior to working as a security practitioner, Brett was the editor-in-chief of ITnews Australia and has contributed extensively to ZDNet, the Australian Financial Review and the Sydney Morning Herald.