My List of Good, Strong MFA

After I tell people not to use easily phishable MFA, the first question they ask is what is and is not easily phishable? I have written dozens of articles explaining the types of MFA solutions which are easily phished and bypassed, including the precursor companion article for this article, explaining why you should not use easily phishable MFA, which is located here: https://www.linkedin.com/pulse/dont-use-easily-phishable-mfa-thats-most-roger-grimes

The most common question I get is which MFA solutions are not so easy to phish and bypass?

This article lists MFA solutions and types which appear to be phishing-resistant.

Original publish date: 3/7/22

Date of most recent update: 1/1/24

My List of Phishing-Resistant MFA

Here is my list of phishing-resistant MFA. It is in no particular order.

My sole check is: Can the solution be phished or bypassed in a similar way to what Kevin Mitnick demonstrates in this video: https://www.youtube.com/watch?v=xaOX8DS-Cto. Can an MFA user be tricked into clicking on a fraudulent URL link which tricks them into inputting MFA credentials, which the attacker can steal, or can the attacker steal the result access control token?

Disclaimer: This list is not inclusive, although I will add any solution that comes to my attention that I solely determine should be on the list. I provide no warranty to what is and is not easily phishable or bypassable. This is just my personal analysis and selections. In some cases, I did no research. In others, I took the word of the vendor. I could be wrong or mistaken. Solutions listed here can be hacked other ways and may become hacked in ways that I am not aware of. Do not rely on this list alone to determine if a particular MFA solution is good or bad or will decrease security risk for you or your environment.

[Note: I realize this list is pretty short, but I’m sure it will grow substantially as time goes on, as users and vendors make me aware of their non-easily phishable solutions.]

List of Phishing-Resistant MFA

NIST 800-63-B AAL3-Level Solutions

As noted in https://www.nist.gov/system/files/documents/2020/07/02/800-63B%20Conformance%20Criteria_0620.pdf, AAL3-6, "REQUIREMENT: At least one cryptographic authenticator used at AAL3 SHALL be verifier impersonation resistant. (4.3.2)"

FIDO2

Fast Identity Online (FIDO) is an alliance of 1FA and MFA solutions, used by various vendors who follow a technical specification. I am a fan of FIDO/FIDO2 MFA solutions. They also have “passwordless” 1FA solutions and I do not like them as much. See https://fidoalliance.org/fido2/ for specifications and vendors. Many vendors support both FIDO2 and non-FIDO2 solutions. Many times, only the FIDO2 options qualify for inclusion on this list.

https://fidoalliance.org/

1Kosmos

https://www.1kosmos.com/

AuthN by IEEE

https://www.getidee.com/

Beyond Identity

www.beyondidentity.com

Offers a sophisticated solution that works with a host of authenticators.

Google Advanced Protection Program

https://landing.google.com/advancedprotection/

Is FIDO-compliant, requires hardware security key (like Google Titan Keys)

HYPR

https://www.hypr.com/true-passwordless-mfa/

IDEE

https://www.getidee.com/

Demo of IDEE defeating EvilGinx MitM attack: https://www.youtube.com/watch?v=MZWc12_H6rQ

idenprotect

https://www.idenprotect.com/

https://www.idenprotect.com/

Good video explaining how it works against MitM attacks: https://www.youtube.com/watch?v=PLvWajO8Iek

Microsoft Azure Certificate-Based Authentication

(Future approval?)

"The Azure AD CBA services promises to deliver "phishing-resistant" multifactor authentication for organizations. It also helps with compliance issues, such as stipulations by the Biden administration in Executive Order 14028, Microsoft contends."

OKTA Fastpass

https://www.okta.com/fastpass/

When used with phishing-resistant MFA

https://www.okta.com/sites/default/files/2023-02/FastPass_Technical_Whitepaper.pdf

Passkeys

Passkeys are a rebranded implementation of FIDO passwordless authentication, supported and used by many vendors including Apple, Google, and Microsoft. If used in an MFA implementation, they are phishing-resistant MFA.

https://www.theverge.com/2022/8/5/23293643/apple-passkeys-fido-alliance-passwordless-google-microsoft

SentryCard

Biometric card FIDO-enabled

www.sentryenterprises.com

SQRL

SQRL (https://sqrl.grc.com/), a passwordless protocol, is phishing-resistant with or without MFA involved. The SQRL client always initiates a separate, additional, TLS connection to the SQRL involved server (https://sqrl.grc.com/threads/is-sqrl-susceptible-to-mitm-proxy-attacks.1259/#post-10281) even if a MitM site is involved. Whenever possible, I prefer SQRL used with MFA over 1FA.

Token Ring

www.tokenring.com

FIDO2-enabled

Transmit Security's BindID

https://www.transmitsecurity.com/bindid

rfIDEAS

https://www.rfideas.com/

FIDO2-enabled

Yubico Yubikeys (when they use FIDO2)

Others

*Any solution which requires that the involved website be pre-registered to the MFA device; or vice-versa:

•  FIDO2 (see above)

• Token binding

*Any solution which requires that you log in through their required app or portal

Examples include:

• https://loginshield.com/, see https://loginshield.com/article/phishing-protection/ for details

• Single-Sign-On (SSO) portals

• Virtual machine portals

  Note: It's still possible to phish users who use SSO and VM logon portals, but because the user is used to only accessing their apps through those portals, it makes phishing far more difficult to be successful on most users.

*Any solution with a "second, independent, channel" that is used for the authentication process and uses or transmits the correct, legitimate target website/service URL to the end-user or their MFA solution.

*Any solution with "channel binding" which ensures that any involved second or additional channels involved in the authentication process uses the appropriate, authorized URL. Some MFA solutions, like FIDO, allow and recommend channel binding as an additional option that can be enabled if desired. Microsoft has a version of channel binding known as Extended Protection (https://msrc-blog.microsoft.com/2009/12/08/extended-protection-for-authentication/).

Device-Logon Screens

Many devices have MFA-enabled "unlock", logon screens (such as Microsoft Windows Hello for Business, Fingerprint-enabled cell phone logons, etc.). In general, these types of device logon screens are more difficult to phish or MitM, because the user is not yet logged onto their device and interacting with a browser or spoofable application. Device logon screens are, however, subject to a class of attack where the entire logon screen is spoofed by an attacker (when possible), so that the user's logon credentials (e.g., face, fingerprint, pattern-swipe, etc.) can be captured and re-used by the attacker in a replay attack.

Smartcards

Most smartcard solutions, especially AAL3-level smartcard solutions, are phishing resistant.

End of List