Why it’s time to move to high assurance passwordless MFA with physical proximity.

The most common MFA authenticators are vulnerable because they do not have a proximity-based factor as a requirement.

The cybercrime marketplace of offering stolen credentials to enable access-as-a-service attacks continues to dominate the market with a 6 fold increase in number of credentials stolen by malware.

Passwords as the single factor of authentication has become a thing of the past and many security conscious organizations have now adopted multi-factor authentication (MFA) as the standard. MFA incorporates the use of multiple factors when authenticating a user, such as knowledge (something a user knows), inference (something a user is), and possession (something a user has).

However, as the threat landscape grows we have seen from recent cyber-attacks in the news that MFA is no longer enough to prevent breaches from account takeover (ATO) attacks. In addition to username passwords, attackers are also gathering contextual information such as browser version and geographical information to enable MFA bypass attacks. Some common MFA-based attacks are the SIM swap attackMFA prompt bombing, and Adversary in The Middle (AiTM). These attacks are getting more sophisticated and successful at breaching an organization’s defense.

Why physical proximity should be a required MFA factor

As seen in most of the attacks that overcome MFA, these attacks are launched remotely and are able to bypass MFA controls in place. Having a requirement of physical proximity as a required factor for MFA, in addition to the other factors of knowledge (something a user knows), inference (something a user is), and possession (something a user has) helps protect against remote based ATO attacks.

If we look at some of the most common MFA authenticators, we can see that most of these are vulnerable as they do not have a proximity based factor as a requirement.

MFA authenticators vulnerability table

However, high assurance PKI-based mobile smart credential login, FIDO2 keys and passkeys (FIDO2 multi-device credentials) all require physical proximity as a requirement to authenticate a user. In addition, these authenticators eliminate the use of passwords, instead using the concept of cryptographic key pairs to authenticate a user.

Consider PKI based mobile smart credential and passkeys below:

PKI based mobile smart credentials – This high assurance passwordless authentication works by installing a digital smart credential on a user’s smartphone transforming their smartphone into a trusted device. When a user wants to authenticate to a device such as a laptop, desktop or other workstation and are in close physical proximity to this device, they are prompted to authenticate themselves using biometrics on their smartphone, with the mobile smart credential. Once authenticated with biometrics, they gain access to the laptop or desktop and can also gain access to all apps and accounts using single sign-on capabilities. When they walk away from their laptop or desktop, they are automatically logged off. The process of triggering authentication on the user’s smartphone happens via Bluetooth, ensuring the user in close physical proximity to the device they are logging on to, protecting against remote based ATO attacks.

Passkeys – Passkeys let you sign in or log on to applications and services without passwords or even usernames if configured that way. They are digital credentials in the form of cryptographic key pairs, with the public key stored on the application server and a private key stored on your device that can be accessed via biometrics authentication on your device. Using passkeys to log in to applications and services make it seamless and easy to use, just like you would unlock your phone with Face ID or other biometrics. When a user tries to log in to an application, the application issues a security challenge to the user’s registered device via Bluetooth. The user is then prompted to authenticate via biometrics to accept the sign-in request, which is signed with the private key on the user’s registered device and sent back to the application to be verified with the corresponding public key, after which the user is signed in if successful.

The above high assurance authenticators combine the best of both worlds – MFA and passwordless and utilizes cryptographic key pairs and proximity factor to ensure a phishing resistant and seamless user experience for users to authenticate themselves.

Now that we’ve moved on from plain passwords to MFA and the bad actors have also caught up to finding ways to beat the traditional MFA configurations, it’s time to move to high assurance passwordless MFA with physical proximity as a required factor.

Learn more about how Entrust Identity as a Service (IDaaS) can help implement secure MFA for any use case across both workforce and consumer / citizen user groups.