We made our company safe from credential phishing

It took us some time - but we did it, we are now fully protected against credential theft due to phishing. If a user receives a good-looking but fake e-mail, clicks on it, and enters their credentials - nothing happens, the company is safe. Fantastic!

In recent years, many companies made their team members’ lives harder #

Companies started asking for multi-factor authentication. Initially, this involved copying a code or approving a prompt. As attackers adapted, companies introduced “number matching”, requiring users to re-type or select a number or icon. However, attackers soon began asking users for the second factor code, defeating its purpose. Today, even the most basic phishing attempts request MFA approval, leaving us reliant on users magically knowing whether microsoftonline.com is legit.

But it is possible to make it simpler, and more secure #

The technology isn’t new; it has evolved a bit and changed names (FIDO2, WebAuthn, passkey). The simplest approach is to give users a Security Key (like the Yubikey), and a PIN. And that’s it - in the best case, users don’t even have a password to memorize anymore.

Why is it more secure? Simply because the Security Key verifies the domain name, and signs the request only for the legitimate domain, not for the phishing domain. Which means that users are just not technically able to give their credentials to the phishing website of the day - it’s what’s called phishing-resistant multifactor authentication.

Isn’t it great? Guaranteed protection without blaming users!

And if physical keys are cumbersome (not sure why), it’s also coming as an app. No excuse.

Combine it with other measures to become even more resilient #

By allowing connections to corporate services only from compliant corporate devices, and deploying SSO/Passkeys on Windows and macOS devices, users simply do not need to enter a password - ever. Just keep the key around, use it once a month to re-authenticate, and forget about passwords.