\n<\/p>\n
As the saying goes, malicious actors don\u2019t break in\u2014they log in. There’s a significant truth in that statement. Today, many organizations struggle to protect their staff from credential phishing, a challenge that’s only grown as attackers increasingly execute \u201cMFA bypass\u201d attacks.\u00a0<\/p>\n
In an MFA bypass attack, threat actors use social engineering techniques to trick victims into providing their username and password on a fake website. If victims are using \u201clegacy MFA\u201d (such as SMS, authenticator apps, or push notifications), the attackers simply request the MFA code or trigger the push notification. If they can convince someone to reveal two pieces of information (username and password), they can likely manipulate them into sharing three (username, password, and MFA code or action).\u00a0<\/p>\n
Make no mistake\u2014any form of MFA is better than no MFA. But recent attacks make it clear: legacy MFA is no match for modern threats. So, what can organizations do? Sometimes a case study can answer that question.<\/p>\n
Today, CISA and the USDA are releasing a case study<\/a> that details the USDA\u2019s deployment of FIDO capabilities to approximately 40,000 staff. While most of their staff have been issued government-standard Personal Identity Verification (PIV) smartcards, this technology is not suitable for all employees, such as seasonal staff or those working in specialized lab environments where decontamination procedures could damage standard PIV cards. This case study outlines the challenges the USDA faced, how they built their identity system, and their recommendations to other enterprises. Our personal favorite recommendation: “Always be piloting”.<\/p>\n FIDO authentication addresses MFA-bypass attacks by using modern cryptographic techniques built into the operating systems, phones, and browsers we already use. Single sign-on (SSO) providers and popular websites also support FIDO authentication.\u00a0<\/p>\n Here\u2019s the remarkable part about FIDO: even if malicious actors craft a convincing scheme to steal staff credentials, and the staff comply, the attackers still won\u2019t be able to compromise the account.\u00a0<\/em><\/p>\n The USDA\u2019s success story should inspire all enterprises to migrate to FIDO authentication. Customers expect their providers to take security seriously, and given today\u2019s threat landscape, organizations must ensure they are mitigating one of the most common and effective attack vectors.<\/p>\n You can read the full case study here: Phishing-Resistant Multi-Factor Authentication (MFA) Success Story: USDA\u2019s Fast IDentity Online (FIDO) Implementation<\/a><\/p>\n For more information, please see these other publications and resources:\u00a0<\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n<\/div>\n