Phishing-Resistant Authentication for ID Security

Identity attacks are on the rise. The Microsoft Digital Defense Report 2023 found that attempted password attacks increased by 10x in 2023, resulting in an average of 4,000 blocked attacks per second targeting cloud identities. We're also seeing a rise in phishing attacks as a whole — many of which have been driven by threat actors leveraging generative AI to launch scaled, highly sophisticated campaigns. In its "Internet Crime Report 2023," the FBI found that phishing attacks were the leading type of incident, accounting for 61% of all complaints received.

Further complicating the matter is the ongoing shortage of security professionals. The global cybersecurity gap is at an all-time high, with an estimated 4 million professionals needed to meet current demand. As organizations work to fill gaps on their teams, existing cyber defenders are overwhelmed by a near-constant barrage of attacks and alerts.

To flip the script on cybercriminals and enable defenders to respond at the speed of attacks, organizations need the right tools and technology to counter shifting threat trends. That's where secure-by-default principles, phishing-resistant authentication, and Conditional Access policies come in.

Take the Onus for MFA Off Security Teams

Cloud identities are a high-priority target for many threat actors. Once compromised, threat actors can use identity credentials and their associated permissions to breach environments and carry out malicious activities such as installing malware, exfiltrating data, exposing company secrets, and more.

Multifactor authentication (MFA) is an often-recommended defense, but it has to be enabled to be effective. Consider the recent Change Healthcare attack in February 2024. The attack — which shut down the company's operations and exposed the sensitive health information of an estimated 33% of Americans — occurred because Change Healthcare's parent company was not using MFA to secure one of its most critical systems. This is not an isolated problem, either. Despite years of education, Microsoft data shows that only 40% of enterprise users use MFA.

Rather than adding to security teams' workloads, organizations should prioritize technology vendors offering MFA as part of a secure-by-default strategy. This ensures organizations are operating securely from day one. It can also help mitigate potential security risks caused by misconfigurations. At Microsoft, we recently expanded our Secure Future Initiative (SFI) to ensure all the work we do is guided by secure by design, secure by default, and secure operations principles.

Choose the Right MFA

In addition to ensuring MFA is properly enabled across the enterprise, organizations also need to choose a strong form of MFA for their needs. Certain MFA methods can be susceptible to phishing.

For example, SMS is a common form of MFA in which users receive a text message with a one-time code as their second form of verification. However, this method is not perfect. Users can still be tricked into providing their verification code to malicious actors. We've also seen adversaries deploy SIM-swapping scams to gain control of users' phone numbers and bypass SMS-based MFA.

The best form of MFA is one that is both passwordless and phishing-resistant. Microsoft offers five phishing-resistant options for enterprises:

Powering all of these options is Conditional Access — Microsoft's zero-trust access policy engine that explicitly verifies signals across identity, endpoint, and network to enforce policy decisions.

Conditional Access verifies a wide range of signals from the identity (human and non-human), the device health, the application and data sensitivity, the location, user compromise risk, sign-in risk, and insider risk. From there, it can automatically determine whether or not access should be granted, restricted, or monitored. Using continuous access evaluation, these Conditional Access policies are continuously evaluated and enforced. This allows users to remain productive wherever they're located while still protecting the organization's assets and reducing the burden on security teams.

Ultimately, the goal of all of these solutions is to raise the bar on security to prevent account compromise without impeding user productivity. Phishing-resistant MFA that is enabled by default and powered by dynamic Conditional Access policies can help organizations better protect operations in a shifting threat landscape.

By Nitika Gupta, Principal PM Manager, Microsoft

About the Author:

Nitika Gupta is a lead Program Manager in the Identity division at Microsoft. She leads the team that owns Conditional Access and strong authentication. Prior to this role, she worked on Azure AD Provisioning where she led the cloud powered provisioning solution for syncing from on-premises directories. During her time at Microsoft, she has worked on a range of security features and drove adoption of Identity security best practices.