-
Authenticate in seconds from anywhere, anytime, on any device.
Solution brief
Home » Solutions » Modern Multi-Factor Authentication (MFA)
Not all MFA is created equal
While MFA can be a strong first-line of defense, not all forms of multi-factor authentication (MFA) are created equal. Legacy authentication such as usernames and passwords can be easily hacked, and mobile-based authentication such as SMS, OTP codes, and push notifications are highly susceptible to modern phishing attacks, malware, SIM swaps, and man-in-the-middle (MiTM) attacks.
Additionally, there are almost always edge cases of employees that can’t, don’t, or won’t use mobile authentication. Not only can there be low cell coverage in certain geographic areas, employees also may not want to use personal devices for work, or don’t want to allow admin access to their devices. There may also be union restrictions or compliance requirements, and some employees may not be able to even use a smartphone. If the fall back option is usernames and passwords, this makes the organization even more vulnerable to phishing and account takeovers.
What is phishing-resistant MFA?
Phishing-resistant MFA processes rely on cryptographic verification between devices or between the device and a domain, making them immune to attempts to compromise or subvert the authentication process. According to the NIST Special Publication (SP) 800-63 and Draft 800-63-4, two forms of authentication currently meet the mark for phishing-resistant MFA: PIV/Smart Card and the modern FIDO2/WebAuthn authentication standard.
FREE EBOOK
Not all MFA is created equal
Any MFA is better than just a password, but not all MFA is created equal. Download the free Ebook to learn how easy it is for mobile-based MFA to be hacked!
See AlsoPhishing Protection with MFA and PasskeysYubikey WebAuthn 2FA User GuideHow does built-in Phishing and Malware Protection work?Are Passkeys Phishing-Resistant?Get the free Ebook
YubiKey offers phishing-resistant MFA
Yubico offers the phishing-resistant YubiKey for modern, multi-factor and passwordless authentication. YubiKeys support multiple protocols including Smart Card and FIDO, offering true phishing-resistant MFA at scale, helping organizations bridge from legacy to modern authentication.
YubiKeys are also simple to deploy and use—users can authenticate with a single tap or touch of the YubiKey. YubiKeys also don’t require batteries, have no breakable screens, don’t need a cellular connection, and are water-resistant and crush-resistant. With the YubiKey, organizations of all sizes can protect employees against modern cyber threats while driving high productivity, offering ease of use, and minimizing costs related to help desk password resets.Contact sales
What makes the YubiKey phishing resistant?
Hardware-backed public key cryptography
YubiKeys use secure public key cryptographic technology to generate unique public and private key pairs for each service. The private keys are stored securely on the YubiKey, making them hardware-bound and non-copyable, unlike legacy MFA.
Proof of user presence
Logging into a service with a YubiKey requires the user to touch or tap the key to authenticate. The touch sensor on the YubiKey verifies that the user is a real human and that the authentication is done with real intent. This prevents remote attacks that can easily bypass software-based MFA.
Origin-bound keys
Once you register your YubiKey to a service, it is bound to that specific URL, and the registered credential cannot be used to log in to a fake website. This means that even if a user is tricked into clicking a link that takes them to a fake website, the YubiKey is never fooled, so the phishing attempt is thwarted!
YubiKeys authenticate through the FIDO open standard, enabling access to thousands of applications and services, providing high security and privacy at scale, across both work and personal lives. A single key can be used to authenticate across any number of applications and services with no shared secrets, ensuring complete protection.
WHITE PAPER
The dark side of mobile authentication
Learn the five key misconceptions related to mobile-based MFA that are a ticking time bomb, and are putting your organization at risk of being hacked.
Get the white paper
Risk reduction, business growth, and efficiency enabled by YubiKeys
A recent Forrester Consulting Total Economic Impact™ (TEI) study commissioned by Yubico found that a composite organization representative of interviewed customers who use YubiKeys reduced risk of successful phishing and credential theft attacks by 99.9%, saw a drop in password-related helpdesk tickets by 75%, and experienced a 203% 3-year ROI with YubiKeys.
BUT…. all organizations are different. Enter your own company data to create a custom Dynamic TEI study and instantly see how Yubico’s solutions can help your organization!
Create my custom study
Unlock the 2023 Gartner® Market Guide for User Authentication
According to Gartner®, “Attacks against incumbent multifactor authentication (MFA) methods are driving interest in phishing-resistant MFA and robust identity verification for credentialing and account recovery.”
Embrace Zero Trust, level up your cybersecurity, and enhance employee and customer experiences! Explore Gartner user authentication recommendations for safeguarding against account takeovers (ATOs) and see why we are a Representative Vendor.
Read the Gartner Market Guide
Gartner, Market Guide for User Authentication, Ant Allan, James Hoover, Robertson Pimentel, 23 August 2023.
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Get Started
Find the right YubiKey
Find the right Yubikey
Contact our sales team for a personalized assessment of your organization’s needs.Take the quiz
Get protected today
Browse our online store today and buy the right YubiKey for you.
Buy now
FAQs
Is modern authentication the same as MFA? ›
Modern Authentication is a category of different authorization and authentication protocols which are SAML, WS-Federation, and OAuth. Modern authentication enables the use of multi-factor authentication (MFA) which adds multiple layers of security.
Is MFA sufficient? ›Despite this, experts warn that this security measure is no longer strong enough to protect users from cyber-attacks in 2023. MFA requires users to provide two or more factors to verify their identity when logging in to an account or performing a sensitive action.
What are the limitations of MFA? ›Single point of failure. If the primary MFA device or method fails—e.g., smartphone app or hardware token—users get locked out of their accounts. Also, human error, such as users falling for a phishing or social engineering attack, is a point of failure MFA cannot entirely mitigate.
What is the success rate of multi-factor authentication? ›For example, here are some key facts about MFA success rates: MFA blocks a whopping 99.9% of modern automated cyberattacks. Given that personal information like passwords and identification can be somewhat easily hacked and stolen online, being able to prevent 99.9% of automated cyberattacks is remarkably high.
Can you use modern auth without MFA? ›In essence, you are simply enabling another authentication provider -- it is not directly tied to MFA. As long as the client supports ADAL/Modern Authentication, it will follow the new authentication process (with or without MFA), and if it does not support it, it will use the legacy method.
What is the difference between basic authentication and modern authentication? ›Making the Move to Modern Authentication
Modern authentication is a stronger method of identity management that provides more secure user authentication and access authorization. It allows a user access from a client device like a laptop or a mobile device to a server to obtain data or information.
MFA isn't strong enough
In fact, some MFA implementations are simply ineffective. For example, some are susceptible to cyberthreats, such as push bombing, in which cyberattackers push out a high volume of notifications to end users requesting they enter their credentials.
Using multi-factor authentication (MFA) is one of the best ways to help keep your online accounts secure. While MFA can be defeated (since no tool is 100% perfect), the extra step creates a roadblock that may make a cybercriminal more likely to move on to the next target.
Why is 2FA no longer safe? ›Even if the user doesn't respond to a push login request or doesn't enter a One-Time Password (OTP) when prompted, a hacker still knows they have a working password now; how, because the delay for the denied message takes longer... Most of us know where this is going; the hacker is persistent in their login attempts.
Can MFA be breached? ›Like all software, MFA technology has bugs and weaknesses that can be exploited. Most MFA solutions have had exploits published which temporarily exposed opportunities for hacking.
What are the pros and cons of using multi-factor authentication? ›
2FA, and multi-factor authentication as a whole, is a reliable and effective system for blocking unauthorized access. It still, however, has some downsides. These include: Increased login time – Users must go through an extra step to login into an application, adding time to the login process.
Is it necessary to have a MFA? ›Any time an account offers MFA or 2FA security measures, use them. Far too often passwords are reused or not strong enough to withstand a brute force attack. Not enabling MFA is a security risk you can no longer afford, and that inaction opens your business up to unnecessary risk.
What is better than multi-factor authentication? ›Passwordless authentication is typically considered faster and more convenient than MFA. Users don't have to commit passwords to memory and only have to use one method of authentication.
What is the strongest authentication factor? ›Biometric and possession-based authentication factors may be the strongest means of securing a network or application against unauthorized access.
What percentage of companies use MFA? ›Multi-Factor Authentication Usage in Organizations
An extensive analysis by LastPass, which examined over 47,000 organizations globally that use its password management services, revealed that 57% have adopted multi-factor authentication (MFA).
Single-factor authentication requires users to authenticate with only one type of evidence for authentication, which, most of the time, is a password. Multi-factor authentication (MFA), requires a user to present two or more pieces of evidence, or factors, for authentication.
What is considered modern authentication? ›Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you might already be familiar with.
What is MFA also known as? ›Multi-Factor Authentication (MFA)
What type of authentication is MFA? ›Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.