In this series, Microsoft identity team members share their reasons for loving passwordless authentication (and why you should too!). Today, Maria Puertas Calvo, data scientist for Microsoft Identity, continues the series.
I am honored to be among such a fine group of people bringing you the goodness of passwordless authentication. Today, I’m going to talk about how passwordless dramatically reduces the risk of phishing attacks against your organization. Let’s begin!
Phishing is a form of social engineering in which a victim is tricked into giving their credentials to an attacker. It remains one of the main points of entry into organizations by cybercriminals. The attacker generally presents the user with a sign-in page that spoofs the real authentication page and hopes that the victim enters their credentials. Even long complex passwords won’t help you in a phishing situation if you enter them exactly right unknowingly on a phishing site.
Passwords are the most commonly phished credentials, but some sophisticated attackers go one step further and perform real-time phishing attacks for multifactor authentication credentials, luring the victim to provide the one-time password (OTP) sent to their email or phone. From September 2019 to September 2020, Microsoft Defender for Office blocked 1.6 billion phishing emails linking to around 2 million phishing URL sites. In 2020, phishing incidents rose by 220% compared to the yearly average during the height of global pandemic fears.
OK, you get the point. Phishing is bad and scary, but how does passwordless protect your organization from phishing attacks?
To start, most phishing sites are designed to collect passwords. If you normally don’t use a password to log in, you will be immediately suspicious if the site is asking for it. Even if you think the site is legitimate, you will likely not know your password because you never use it! Sites that phish other credentials, such as OTPs sent to your phone app or hardware token are much less prevalent, so if you choose to go passwordless say for example with the Authenticator app for its amazing usability, you’ll also get enhanced security.
But the benefits don’t end there. Two of our main passwordless authenticators are FIDO2 based - Windows Hello for Business and security keys. If you want to make it extremely hard for your users to get phished, these two authentication methods provide phishing-resistant authentication. How? – you ask. Phishing sites rely on humans not noticing that the domain asking for their credential is not the one they registered that credential with. With FIDO, this problem is avoided because the server domain is used by the client (i.e. browser) to ask the authenticator (i.e. security key) to sign the login request. What this means in simpler words is that only when the site visited is foobar.com the authenticator will provide a credential that’s valid for foobar.com. If an attacker creates foodbar.com and tries to phish the user credentials, the authenticator will sign a message that won’t be accepted by foobar.com, hence making phishing impossible.
So that’s it, one more reason to love passwordless. Go passwordless and drive cybercriminals out of business by keeping them out of your business.