In previous parts, I covered reasons to elevate MFA to the next level and the two most commonly used applications. The alternatives to authenticator applications, if you don't have or don't want to use a mobile phone, are FIDO2 hardware devices. FIDO Alliance is a governing body over the standard for application developers and hardware manufacturers. The two most commonly used types are key fobs and security keys. Some of you are familiar with RSA key fobs - banks still use them. They are keychain-size devices that generate and rotate six or eight-digit codes, similar to the SMS you receive with Step-Up Verification or Authenticator application. They do not rely on any cellular or internet connection. Multiple manufacturers offer them, and they are most suitable for an organization with IT since fobs need to be programmed before you can use them. The other, even more, popular option is a security key, with Yubikey being the most well-known. They have been dominating the market for years and come in many flavors. Most commonly used are USB-based devices that the user will attach to the computer and touch or use a fingerprint to authenticate. Yubikey supports dozens of different platforms and, most of the time, can be set up and configured by the user. There are even flavors that work with mobile devices. Yubikey is not a very technical and inexpensive way to meet security best practices, continuously evolving regulatory requirements and complaint scrutiny for MFA.
Finally, in light of continuous MFA attacks, specifically MFA bombing, many regulations required businesses to switch to a Phish-Resistant MFA. Nothing is perfect, including MFA. There are some unavoidable attacks against the MFA, but a conscious effort to move to MFA everywhere it is supported puts you in a better position. At the end of the day, you don't have to outrun the bear, just the next slower person. Cybercriminals value their time too. When faced with resistance, they go to the next victim.
#ALTACyber
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------