Moving on from legacy MFA: Phishing-resistant MFA as a prerequisite for Passwordless

Okay. Hi everybody, and thank you for attending today's presentation on the topic, how to move to a Secure Password List Strategy and why Fishing Resistant MFA is a real critical pre prerequisite for your organization. So I guess my name, you know everybody, I, I was here just, just now, so I will skip my introduction. Going very quickly over the, the topics of today's, with the focus of today's presentation is why modern attack bypass legacy mfa? I think it's really under important to understand what is actually happening in the background and what is phishing resistant MFA and very, on a very high level scale, the road to passwordless. So I will start with the following headline today. Attackers don't hack in, they actually log in. And I think this is something we really need to realize. And the question is, why are they doing that? Because this is the most easiest and unobtrusive way to gain access to a corporate network.
Why should I try to sneak in or to penetrate a network if I can simply log onto it? Here we have an example of some global enterprise organizations that actually got breached during the last couple of weeks month, and they have all one thing in common. They used MFA to protect their identities, but they still got breached. So the question is why? And the reason for that is they didn't use phishing resistant mfa. If they would have used fishing resistant mfa, they, the possibility that they have would would've been breached is very low. Here we have a report from st, but other statistics also sh also show that round about 90% of all breaches are due to stolen credentials, weekly protected credentials. Just think about the number 90%. It's really huge. It is nine out of 10 breaches are due to unprotected or not properly protected credentials.
And if you think about a ransomware attack, for instance, I guess everybody's afraid of that one. They usually rely on compromised or not probably protected credentials as well. So therefore I can just recommend to everybody, please start using phishing resistant MFA in a form of Fido 5 0 2 smart card, actually both supported by the UBI key. No, this will definitely minimize the likelihood of unsuccessful attack. Golden rule, any MFA is better than the password alone. And, but we have to keep in mind not all M F A technologies has been created. Equally. There's a major difference. Of course, we have to start wherever we are now. So we have applications that are maybe not ready for the passwordless future. So we need to start protect them what we with, with what we have today. So with the options we have today, I think this is really important to understand and when we, when we look at different MFA technologies, we have very secure technology technologies like Smart Cart or a fighter two, both Phish resistant and passwordless.
But then we also have legacy applications and they are not offering the protection we need today, at least for the modern phishing attacks. And, and here's a simple example of why this is not sufficient. So ho a fake lock in page defeats legacy mfa. I think we all, we all know the starting point, the victim is actually getting an email and in this case the victim is clicking on this specific email so far. So it's still okay I would say. But unfortunately the victim was trapped. He's entering his credentials on the fake login page and the attacker grabs his ensures. Usually we would say we have MFA in place, we should be secure. At least this is what a lot of customers think. Unfortunately this is not the case. So in this case, the attacker enters the credentials on the fake, on the real webpage and what is happening in the background.
Now a push notification out of band push notification will be generated and will be sent to the user. So the user will take off his mobile, his mobile phone and look to his mobile phone and say, oh, that's me. I'm looking in at the moment he's confirming that one. And this is how the attacker is actually getting access to that user account. Very straightforward. And the dangerous part about this kind of attack is nowadays this kind of attack can be done basically by everybody. You don't need any technical skills for such an attack because you can simply buy yourself a so-called fishing as a service kit somewhere on a evil webpage and start, start such an attack. So the only thing that you really need to know is you need to know the attackers email address and what kind of service you would like to attack.
And that's it. So what can we do about that? We talked about that now multiple times fishing resistant mfa. So what is fishing resistant mfa? I think this is really important to understand what is that exactly? And according to the NIST 800 dash 63, I think they define it quite well. They say fishing resistant is ability of the authentication protocol to detect, prevent the disclosure of authentication secrets. So they clearly state it is the technology that is preventing the attack. If we go one step back, looking at the previous slide, we are depending on the user, the user clicked on the email, the user entered his first credential, the user confirmed the critical part, second push notification. And to be honest, I think in the year 2023, no company would like to rely on the sec on, on the, on on the dependency of, of a, of a user based on their IT security infrastructure. We have technology in place for that. We should not rely on the user anymore. No, and that is what, what the n also actually state is that 5 0 2 and smart cart are fishing resistant. And this is actually the only both protocols they are mentioning.
So the big question is, so if fishing is behind 90% of all breaches, why is not everybody using that? And I guess there are multiple reasons for that. And the first one is, I think it's awareness. A lot of people are not aware what is the difference between phishing resistant passwordless technology like Fido and Smart Card or legacy MFA technologies. I think this is a really critical point. We, we spoke to so many companies. We, we spoke to so many trusted advisors, we spoke to so many consultants of the customer, they all had a wrong, not all, but a lot of them have a wrong impression. And the the second reason is historically great security came, comes with usability trade offs. If we have a look at the traditional SMART card, you needed a very complex IT infrastructure in the background. You needed a smart card reader.
The smart card form factor was not compatible to all devices, et cetera. So it was challenging for the traditional smart card. And if we have a look at legacy MFA technology or traditional MFA technology like push notification, mobile authenticators display tokens, otp, sms, whatever, they do not protect against modern phishing attacks or man in the middle attacks anymore. Now. And this is exactly where the Yuki comes into play. So the YubiKey provides the highest security based on the technology SMART card and Fido. And it is very straightforward to use. So I, so what the user needs, he needs a YubiKey and a respective pin and I like to compare it always to the credit card experience. Everybody of us withdraw money at a bank, bank machine or a cash machine. That is straightforward for everybody. Everybody can do that. This is the same user experience we have here and very secure. So second last slide,
UBI Q works with more than 800 different verified applications. And when I say verify, I mean tested and documented applications, probably thousands or thousands of non-ed applications. And the reason for that is we are using standard or different multiple authentication technologies on one key. So we, we have FI technology, we have a smart card, but also support legacy technology on one key. And this is what is making it so interesting for our customers because coming to the next slide, the UBI q the UBI key will help build the bridge to a passwordless technology. And the reason is, of course, moving to a passwordless fishing resistant future is a journey. And this is not something that will happen overnight. And I think this is, this must be clear to everybody and therefore we need to protect what we have today. A lot of times legacy applications, this is where the Yuki can offer the first level of support for the legacy applications providing OTP technology or something else. And the second step, when you busy trans transitioning to the, to the more fishing resistant future or passwordless future, you can still use the same key for the modern technologies that you have on one on in your environment then yeah. So last sentence from my side, secure today, future proof for tomorrow. So I hope you enjoyed the, the presentation and I think we still had a a, a poll question.
Yeah, we have two minutes. So I just, before going to the questions, I just opened up a poll question, so please take your time to answer to that so we can discuss at the end of this session. And yeah, the question is, are you using a fishing resistant MFA technology in your organization? Yes or no? Real simple. So we have a question here.
Thank you. So in the last slide you said that fishing resistance is, is only smart keys, but why like PAs keys, which are local to the device are not fishing resistance? I didn't get that.
So what, what I, what I said is fighter two and smart card is fishing resistant and PA keys are based on fighter two.
Oh, so PA keys is all,
So the difference with, with with the PA keys, there are different, different kind of PA keys now. So you have authenticator or hardware based PA keys like the UBI key or external authenticators, and then you have like internal pass keys that might be, for instance your mobile phone,
Right?
Thinking about rolling out such an item at scale, say to a global organization with several hundred thousand users, just rolling out the physical tokens to the individual user is in itself a painful and large project. Just out of curiosity, does your company anything to facilitate that part of introducing a phish resistant MFA solution?
So I think we have to consider 2, 2, 2 things here. The one is the logistics and there, there we can also provide some support that the logistic part will be handled by either US or a partner from us. And the second part is of course the organizational process. And here we depend a little bit on the type of system you're using now. So the, for us itself, it it does not, does not really matter where the key will be used. If it's in Asia for instance. Asia is, it is, the rollout process itself is very straightforward. It's probably take you if you know what you do 30 seconds to roll out the vido key now. And so they have very good integrated processes. But here I have to say it depends on the solution that you use and but typically this is taken care of by the identity access management solution. Yeah, absolutely. So it is not, not a real, it is an organizational step, yes. But otherwise technical usually straightforward.
Maybe one more question. No, then maybe we can share the poll results. 10 people attended in total.
One. One years one. No,
No, no. It is five. Yes, five. No. Okay. Oh yeah.
Okay. Then I would say thank you very much for your time. It was a pleasure from our side.