Phishing-Resistant Multi-Factor Authentication: Why Combining Strategies May Be Your Best Option

From IC Insider Thales Trusted Cyber Technologies

By Jim Dickens, Sr. Product Manager for Authentication, CTO Office, Thales Trusted Cyber Technologies

When it comes to deploying multifactor authentication (MFA) solutions for cybersecurity, an added wrinkle is that these solutions now must be phishing-resistant, to hold off the relentless onslaught from threat actors. Unfortunately, there is no single “off-the-rack” solution to this problem. Depending on your agency’s particular needs, you may need to consider combining phishing-resistant MFA with an enhanced authentication experience.

The need for phishing-resistant MFA is clear from current reporting. According to StationX, in its report, Top Phishing Statistics for 2024: Latest Figures and Trends, the company cited that some “3.4 billion emails a day are sent by cyber criminals, designed to look like they come from trusted senders. This is over a trillion phishing emails per year.” The report noted that 36% of all breaches originate through phishing – and phishing is responsible for 45% of all ransomware attacks. Bad guys don’t break in anymore. They fool you into providing them with your credentials and then they simply log in.

In this article, we’ll build our case for why federal agencies must improve access controls. Let’s start with the Federal Zero Trust Strategy, to understand how that feeds into various MFA strategies.

Understanding the Federal Zero Trust Strategy in Regards to MFA

In May 2021, the Biden Administration introduced Executive Order 14028. In it, the White House stressed that the federal government and any companies doing business with the government must move to secure cloud services and a Zero Trust architecture. This architecture includes both multifactor authentication and encryption.

The Zero Trust Strategy places significant emphasis on stronger enterprise identity and access controls, including MFA. It prioritizes defense against sophisticated phishing, directing agencies to consolidate identity systems for better protection and monitoring—“Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.”

The Office of Management and Budget (OMB) Memorandum M-22-09, provided supporting guidance on Zero Trust and places significant emphasis on stronger enterprise identity and access controls, including MFA. It prioritizes defense against sophisticated phishing, directing agencies to consolidate identity systems for better protection and monitoring.

CISA has stated that “MFA is one of the most important cybersecurity practices to reduce the risk of intrusions—according to industry research, users who enable MFA are up to 99 percent less likely to have an account compromised.”

CISA’s Zero Trust Maturity Model Version 2.0 details best practices for authentication in its Identity pillar which includes advancing maturity levels each with individual requirements. The Initial Maturity Level requires the use of MFA “which may include passwords as one factor.”

The Advanced and Optimal Maturity Levels require the use of phishing-resistant MFA. The advanced level states that “Agency begins to authenticate all identity using phishing-resistant MFA and attributes, including initial implementation of password.” And for Optimal, “Agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted.”

Although the Department of Defense does not specifically call out the use of phishing-resistant MFA in  its Zero Trust Reference Architecture (ZTA), it does detail requirements for dynamic, continuous authentication that align with phishing-resistant MFA elements required by (OMB) Memorandum M-22-09. The ZTA notes that “Two factor authentications, authentication tokens, and username and password login have not kept pace with the industry’s multi-factor authentication advances.”

The ZTA also states that “The process of dynamic, continuous authentication begins with a user’s/NPE’s request for access. Attribute data such as a CAC and certificate or biometric will be provided to the identity agent for validation.” These attribute-based access controls are a cornerstone of phishing-resistant MFA.

The Top Three Phishing-Resistant MFA Components

There are three core Identity and Access Management functionalities required by federal agencies when developing a phishing-resistant multifactor authentication system:

Enterprise-wide identity systems. An enterprise identity management system must be compatible with common agency applications, and should integrate both among agencies and with externally operated cloud services. Fortunately, modern open standards can help in this regard. It’s important to note, however, that tightening access controls means agencies have to make use of data from different sources, including analysis of both device and user information.

Multifactor authentication. Not all multi-factor authentication methods protect against sophisticated phishing attacks. Therefore, agency staff, contractors, and partners must be provided with phishing-resistant MFA solutions, such as PIV, FIDO2 and Web Authentication-based authenticators, and PKI certificate-based smart cards.

User Authorization. Right now, federal systems typically rely on role-based access control (RBAC). Static pre-defined roles are assigned to users, and these roles set each user’s permissions. A zero trust architecture, by comparison, must have more fundamental and dynamically defined permissions, such as attribute-based access control (ABAC).

According to NIST, ABAC has to do with circumstances in which “subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.”

Authorization systems should incorporate at least one device-level signal alongside identity information about the authenticated user when regulating access to enterprise resources.

The problem with authenticators, however, is that all MFA processes that use shared secrets are vulnerable to phishing attacks.  This includes authentication methods that rely on memorized secrets, look-up secrets, out-of-band authentication (SMS/PSTN) including push notification, and one-time-passwords (OTP).

NIST considers SMS authentication to be insecure. It is classified by NIST as a “restricted” means of authentication because it is less reliable in today’s threat environment. Authentication using Public Switched Telephone Networks is also considered insecure by NIST because of the possibility of device infection, authentication spamming and other social engineering. A somewhat better approach to SMS or PSTN authentication is PUSH OTP, but NIST still does not consider it to be phishing-resistant.

Because phishing-resistant MFA methods may not be suitable for all contexts and circumstances, NIST recommends organizations should have at least one other unrestricted authenticator that fits with the necessary level of assurance for the selected app or service besides phishing-resistant MFA.

Consequently, even though PUSH OTPs are not phishing-resistant, they could still function as a secondary approach to some MFA services – depending on the user and data sensitivity.

It’s possible to harden a phone-based authenticator app by combining PUSH OTP with conditional and contextual authentication. If a login context is considered to be high risk (because of e.g. geographical location), the user could be required to provide additional methods of authentication. Therefore, combining PUSH OTP with device-native biometrics can confidently demonstrate the validity of a specific device-individual pairing. Integrity of the authentication can be ensured through risk monitoring, end-point security and anomaly detection.

The Importance of a Combined Approach to Security

A better approach to security, however, would be one that provides phishing-resistant MFA with an enhanced authentication experience. In this case, agencies should consider a combination of FIDO2 device-bound passkeys and biometry.

FIDO2 (or Fast Identity Online) authentication makes use of standard certified security keys to authenticate quickly and securely to online services. When replacing passwords with FIDO2 authenticators, apps and users can have a passwordless MFA experience. This approach is essentially resistant to phishing attacks and account takeovers, and enables simplified user adoption.

There are also benefits of combining FIDO with biometrics. Adding biometric verification to FIDO2 authentication creates an enhanced authentication experience with extra robust security. While FIDO2 authentication provides a robust security mechanism, biometric verification adds an extra layer of protection by verifying the user’s physical traits. This combination ensures the end-user has a seamless authentication experience while, at the same time, providing the agency’s IT department the assurance that their system is compliant and secure.

By combining these two authentication technologies with NFC, organizations can develop a user-friendly and convenient authentication experience. Users of systems that incorporate biometrics, FIDO2 and NFC can have a robust, contactless login experience, with no need to remember passwords or PINs that need to be entered on a keyboard. They simply tap a card that has an embedded fingerprint reader, and they are authenticated.

Overall, this approach can help improve user adoption rates, productivity, and overall satisfaction. Better still, biometric data is secure on the authenticator device and is not transmitted. This ensures that users’ data privacy is protected.

The ideal cases for integrating FIDO with biometric authentication include office employees who access sensitive information daily from their desktops. Frontline employees who need to access applications, messaging, and sensitive files on shared mobile devices are also likely candidates for this approach.

No One-Size-Fits All Approach

All of this goes to show, however, that there is no one-size-fits-all approach to MFA compliance, especially when MFA must also be phishing-resistant. By understanding the guidelines for Zero Trust authentication, as well as the various offerings for MFA, you will improve your cybersecurity posture even as you’re reducing the threat of damage caused by social engineering and phishing.

As the most exercised entry point to most systems, user access is the first line of defense in most federal agencies. Therefore, superior access control must be the tip of the defensive spear protecting this country’s sensitive data and resources.

About Thales TCT

Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.

For more information, visit

About IC Insiders

IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.