Phishing-resistant authenticators can prevent unwanted logins.
NIST on phishing resistance.
NIST has published a report encouraging the use of phishing-resistant authenticators.
Multifactor authentication best practices.
According to NIST Special Publication DRAFT 800-63-B4, a phishing-resistant authenticator offers “the ability of the authentication protocol to detect and prevent disclosure of authentication secrets and valid authenticator outputs to an impostor relying party without reliance on the vigilance of the subscriber.”
Two examples of phishing-resistant authenticators are PIV cards for US Federal employees and FIDO authenticators paired with W3C’s Web Authentication API for the private sector.
NIST says a phishing-resistant authenticator must be able to prevent the following attack vectors:
- “Impersonated Websites – Phishing resistant authenticators prevent the use of authenticators at illegitimate websites (known as verifiers) through multiple cryptographic measures. This is achieved through the establishment of authenticated protected channels for communications and methods to restrict the context of an authenticator’s use. For example, this may be achieved through name binding – where an authenticator is only valid for a specific domain (I can only use this for one website). It may also be achieved through binding to a communication channel – such as in client authenticated TLS (I can only use this over a specific connection).
- “Attacker-in-the Middle - Phishing resistant authenticators prevent an attacker-in-the-middle from capturing authentication data from the user and relaying it to the relying website. This is achieved through cryptographic measures, such as leveraging an authenticated protected channel for the exchange of information and digitally signing authentication data and messages.
- “User Entry – Phishing resistant authenticators eliminate the need for a user to type or manually input authentication data over the internet. This is achieved through the use of cryptographic keys for authentication that are unlocked locally through a biometric or pin. No user entered information is exchanged between the relying website and the authenticator itself.
- “Replay – Phishing resistant authenticators prevent attackers from using captured authentication data at a later point in time. Supporting cryptographic controls for restricting context and to prevent attacker-in-the-middle scenarios are also preventative of replay attacks, particularly digitally signed and time-stamped authentication and message data.”
NIST notes that these types of authenticators can only prevent attacks in which the threat actor is trying to login to something. Users should still be wary of phishing attacks that attempt to install malware or steal sensitive information.