Yes, There Is a Phishing Solution That Doesn’t Make Logins Hard

Phishing continues to be a top security headache. Traditional solutions frustrate users without solving the problem, but a new generation of authentication tools is changing the game.

Phishing has been with us for many years now—almost as long as the problem of email SPAM itself.

Of course, phishing is a bigger concern than SPAM for most companies, because while SPAM is just an annoyance in terms of cost and consequences, phishing can be positively catastrophic.

In a phishing attack, the bad guy disguises themselves as a different website or application in order to steal user credentials. © Elnur / Dreamstime

When users click on phishing links that lead to fake versions of websites or cloud applications, then unknowingly enter login and password details, their credentials are captured by crooks.

This gives the crooks access, using these stolen credentials, to the real websites or cloud applications they've impersonated—possibly including yours.

Phishing Is a Serious Problem

The phishing problem is not small.

A third of all data breaches surveyed in Verizon's 2019 Data Breach Investigations Report  involved phishing. The YL Ventures Top CISO Insights for Q3 2019  highlight phishing as a key threat to be addressed.

This is a nightmare for companies precisely because phishing is so hard to combat:

  • Significant user education and sophistication are required to enable users to identify phishing links.

  • Many common mobile email applications make it impossible to distinguish between legitimate and phishing links even with such education.

  • Prohibiting all email clicks negatively impacts productivity by also making legitimate content and communication inaccessible.

What is to be done?

Making Logins Harder Doesn't Solve the Problem

Aside from the losing battle involved in trying to train users to identify and avoid clicking on phishing links, the most common attempts to combat phishing to date generally involve various tweaks to shared secret requirements during login:

The most common strategies to combat phishing and stolen credentials involve things that make logins hard—sapping both productivity and user morale. © lamchamp / Dreamstime

  • Requiring that users change their password more and more frequently, to limit the time during which stolen credentials are effective

  • Requiring users to answer previously answered "secret questions" at login

  • Requiring users to provide a one-time code provided via SMS or email in order to log in

  • Requiring users to click a one-time use email link in order to log in

Unfortunately, these would-be solutions come with problems of their own.

Most importantly, they all sap productivity and engagement by making logins far more difficult and error-prone, which also tends to lead to a significant increase in IT support load.

Frequent password changes, meanwhile, infuriate users and lead to simpler passwords and password incrementing. For example, users may opt to use "MyPassword1" this week, "MyPassword2" next week, and "MyPassword3" the week after that. These patterns are easy for hackers to spot and adjust for.

Answers to secret questions can often be stolen right along with usernames and passwords in phishing attempts. Even when this isn't the case, they often involve answers consisting of publicly available biographical data.

SMS was designed for casual use—not as a secure identity factor. Phones can be stolen or numbers ported. Storage and transmission is in cleartext. SMS apps may distribute incoming messages to many devices and inboxes. One-time SMS codes aren’t panacea. © JESHOOTS / Pexels

One-time codes aren't much better. SMS itself is insecure  and is often linked to applications that enable users to access messages from anywhere. Since many users re-use credentials across services, phished credentials also often enable attackers to access the messages in which codes are delivered.

The same problem applies to one-time links delivered by email, and this problem is compounded by the confusion created when users learn that the solution to email link security is to click on more email links (but only, of course, the right email links).

In short, all of these strategies for making logins progressively more difficult tend to alienate users while failing to provide significant additional protection against phishing attacks.

Advanced Authentication Enables Easy, Phish-Resistant Logins

All of this sounds rather dismal, but in fact solutions are available. Today, advanced authentication techniques offer a very good solution for preventing phishing attacks.

In the case of Plurilock ADAPT,  for example, website or application login prompts can be protected by a machine learning engine that silently analyzes a number of identity signals in the background, as users enter their username and password at login prompts:

  • The cadence of and patterns in their typing

  • Their current location and recent travel patterns

  • Their device or browser fingerprint

  • Their network properties and context

By combining behavioral biometric signals, environmental signals, and contextual signals in this way, user identities can be tested and either confirmed or rejected regardless of the credentials that they actually use.

Using machine learning combined with behavioral biometrics and other available data, everyone in the company can be recognized—while imposters that have stolen working credentials can be excluded. © rawpixel.com / Pexels

In practice this means that when websites or applications are protected by products like Plurilock ADAPT, credentials stolen through phishing can't be used to log in—even when they're still current and valid.

This is because the credential thief, despite having the right username and password, does not have the same biometric typing cadence, the same locational tendencies, or the same browser and network context as the intended user.

And because advanced authentication systems like Plurilock ADAPT are invisible during the login workflow, users can enjoy this additional protection—and log in—using the same username and password that they always use, without the imposition of multiple additional steps or infuriating password expiration rules.

Stopping the Phishes

No, advanced authentication techniques won't immediately stop phishing email from being sent.

They will, however, stop phishing email from being an effective attack vector—and over time, as more and more companies adopt advanced authentication, this loss of attack effectiveness will eventually stop phishing email from being sent as well.

In the meantime, companies that adopt advanced authentication techniques like those present in Plurilock ADAPT will enjoy relative immunity from phishing risks in their own systems and applications.

Just as importantly, they will enjoy this protection without the excessive costs that result from angry users, lost productivity, or other, less effective multi-step or two-factor solutions. ■

Stay informed. Join our low-volume list for news and updates.

PLURILOCK IS THE LEADER IN ADVANCED AUTHENTICATION

Plurilock is the leader in advanced, risk-based authentication. We provide invisible, device-free MFA for corporate endpoints, Citrix sessions, cloud applications, and their users in finance, healthcare, education, and SaaS.

Follow

        

Contact Plurilock

Have a question or comment? 

© 2018 Plurilock. All Rights Reserved. | Plurilock Cage Code L02Z7; DUNS 248484623