What is phishing-resistant MFA?

Phishing-resistant Multi-Factor Authentication (MFA) is a crucial advancement in securing user accounts against identity theft. Traditional MFA, while effective and still believed to be secure by many professionals, can still fall prey to phishing attempts. Phishers trick users into revealing their credentials (usually the first authentication factor) or have developed techniques to steal the second factor that can be a mere acknowledgement in an authenticator app or a one-time password generated therein.

Currently, there are only a few choices for a second authentication factor that is convenient and not susceptible to phishing attacks. Besides FIDO2 keys and vendor-specific mechanisms such as Windows Hello for Business (WHfB), only certificates provide a truly secure second factor. Authentication based on certificates is a mature technology that is readily available across different platforms (opreationg systems and browsers) and identity providers (IDPs).

Why is it relevant for my organization?

Security and Data Breaches: In today’s interconnected world, cyber threats are rampant. Organizations face the risk of data breaches, unauthorized access, and identity theft. Protecting employee and customer identities ensures that sensitive information remains confidential.

Financial Impact: A security breach can lead to significant financial losses. Organizations may incur costs related to legal fees, regulatory fines, and damage control. Moreover, reputational damage can affect customer trust and loyalty.

Compliance and Legal Obligations: Many industries have strict compliance requirements (such as GDPR, HIPAA, or PCI DSS). Failing to protect identities can result in legal consequences. Compliance ensures that organizations handle personal data responsibly.

Business Continuity: Identity theft or compromised credentials can disrupt business operations. Ensuring secure access to critical systems and applications is essential for uninterrupted productivity.

Looking at the criticality of protecting identities, IDPs such as Microsoft or governments like the US government actively encourage or even mandate administrators to enforce phishing-resistant MFA on their tenants.

How does Phishing-resistant MFA with Certificates work?

Phishing-resistant MFA is an authentication mechanism that must be enabled in the identity management solution of an organization, e.g. in Microsoft's Entra ID. Once enabled, applications validate and verify user identity, i.a. based on trusted digital certificates. These digital certificates can either be delivered to trusted corporate devices using an MDM solution or by enrolling them to hardware tokens or smart card devices such as YubiKeys that are handded out to the relevant users.

How can SCEPman help your organization to realize Phishing-resistant MFA?

SCEPman is a cloud-born certification authority (CA) that seamlessly integrates with popular MDM solutions such as Microsoft Intune or Jamf Pro, thus allowing your organization to effortlessly enroll, renew and revoke certificates suitable for MFA purposes to your trusted endpoints.

For hardended security, SCEPman facilitates the convenient enrollment of identity certificates to smart card devices like YubiKeys. Typical applications for the use of smart card devices are scenarios where administrators must access privileged portals or systems such as Azure Portal (via Entra ID CBA) or Privileged Access Workstations (PAWs), e.g. using the remote desktop protocol (RDP).