Multi-factor authentication (MFA) gets touted as a significant security improvement over traditional “username + password” authentication. However, not all MFA processes are created equal. As the opportunities narrow for cybercriminals to pick off the low-hanging fruit of password-only systems, they’ve turned their focus to weak MFA.

A growing number of organizations have suffered security breaches despite having MFA in place, thanks to expanding digital systems, more advanced phishing tools, and the continued allowance of passwords as an authentication factor. The past year, which saw Microsoft, Uber and Cisco breached by MFA “prompt bombing,” demonstrates that organizations can’t just deploy any type of MFA and presume they’re safe from breaches.

For these reasons, the federal Office of Management and Budget (OMB) and the Cyber and Infrastructure Security Agency (CISA) have emphasized the need for phishing-resistant MFA, specifically passwordless MFA built around FIDO standards. We’ve examined FIDO standards and what they mean for authentication before, but in this post, we look at one of the most critical elements of the process: FIDO Certified authenticators.


More

TechRadar: Great news everyone! Google is going to let you transfer your passkeys to a new phone

Google’s password manager may soon allow you to transfer your passkeys to a new phone,…

Read More →

International Security Journal: Passkeys set to become leading authentication method by 2027, HYPR reports

HYPR, an Identity Assurance Company, has released the fifth edition of its ‘State of Passwordless…

Read More →

Security Info Watch: iProov launches facial biometric MFA support targeting workforce identity theft

This device-independent, FIDO Alliance-certified biometric authentication solution helps organizations mitigate the risk of one of…

Read More →


Subscribe to the FIDO newsletter

Stay Connected, Stay Engaged

Receive the latest news, events, research and implementation guidance from the FIDO Alliance. Learn about digital identity and fast, phishing-resistant authentication with passkeys.