An Unexpected Endorsement for WebAuthn
Okta Security endorses phishing resistant authentication at every opportunity.
We’ve long argued enrolling users in Okta FastPass, FIDO2 WebAuthn authenticators or Smart Cards, and enforcing phishing resistant authentication flows will:
- Protect users against real-time phishing proxies and other forms of session hijacking.
- Solve for far more attacks than simply adding Number Challenge to Push notifications to defeat MFA Fatigue.
- Offer detection opportunities via System Log and the automation of phishing remediation, identifying potential account takeovers and preventing future attacks in a few seconds.
- Provide a superior user experience, without any adverse impacts on enrolment duration or failure rates.
But don’t take our word for it.
The SMS below was recently sent by a prolific threat actor attempting to convince users at a large tech company to click through to a phishing kit:
That’s probably the best endorsement for enforcing phishing-resistant sign-in yet!
Enforcement is everything
Celebrity endorsements aside, this is a story about enforcement.
Step one to thwarting phishing attacks is to require users to enroll in strong authenticators. Users required to enroll in Okta FastPass or FIDO2 WebAuthn can authenticate to just about any app that requires two distinct factors. Independently, each of these two authenticators can each satisfy possession and inherence factors in 2-3 seconds.
But that’s not where the task ends.
As this crafty lure demonstrates, Step two is to enforce phishing resistance in policy, as seen in the screenshot below. Social engineers may otherwise convince users to accept a lower assurance authenticator (passwords, OTPs, push notifications), on the chance that those sign-in methods satisfy policy requirements.
This lure also demonstrates why a little redundancy can go a long way.
We recommend requiring users to enroll in both Okta FastPass and FIDO2 WebAuthn (rather than FastPass “or” FIDO2), as well as enforcing phishing resistance.
That might sound like overkill: both authenticators would prevent the user from compromise, and both can be configured to satisfy two factors in one gesture. So why have both enrolled?
If a threat actor did manage to convince a user to unplug their security key, the tricked user would still be able to sign-in to your organization using FastPass - just not via the attacker’s proxy! And as an added bonus, it may ease the pain on support teams if users are prone to misplacing their security keys.