Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Phishing Resistance – Protecting the Keys to Your Kingdom

Envelope with a fish hook through it and an @ symbol indicating phishing
Credit: Shutterstock

If you own a computer, watch the news, or spend virtually any time online these days you have probably heard the term “phishing.” Never in a positive context…and possibly because you have been a victim yourself.

Phishing refers to a variety of attacks that are intended to convince you to forfeit sensitive data to an imposter. These attacks can take a number of different forms; from spear-phishing (which targets a specific individual within an organization), to whaling (which goes one step further and targets senior executives or leaders). Furthermore, phishing attacks take place over multiple channels or even across channels; from the more traditional email-based attacks to those using voice – vishing – to those coming via text message – smishing. Regardless of the type or channel, the intent of the attack is the same – to exploit human nature to gain control of sensitive information (citation 1). These attacks typically make use of several techniques including impersonated websites, attacker-in-the-middle, and relay or replay to achieve their desired outcome.

Due to their effectiveness and simplicity, phishing attacks have rapidly become the tool of choice for baddies everywhere. As a tactic, it is used by everyone from low level criminals looking to commit fraud, to the sophisticated nation state attackers seeking a foothold within an enterprise network. And, while almost any kind of information can be targeted, often the most damaging attacks focus on your password, pin, or one-time passcodes – the keys to your digital realm. The combination can be catastrophic. The Verizon 2022 Data Breach Investigations Report lists phishing and stolen credentials (which may be harvested during  phishing attacks) as two of the four “key pathways” that organizations must be prepared to address in order to prevent breaches (citation 2). In recognition of the threat posed by phishing – the Office of Management and Budget’s Memo 22-09 “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” prioritizes implementation of phishing resistant authenticators (citation 3).   

So – how do you keep your keys from falling into the wrong hands?  What constitutes a phishing resistant authenticator? NIST Special Publication DRAFT 800-63-B4 defines it as “the ability of the authentication protocol to detect and prevent disclosure of authentication secrets and valid authenticator outputs to an impostor relying party without reliance on the vigilance of the subscriber.” To achieve this, phishing resistant authenticators must address the following attack vectors associated phishing:

  • Impersonated Websites – Phishing resistant authenticators prevent the use of authenticators at illegitimate websites (known as verifiers) through multiple cryptographic measures. This is achieved through the establishment of authenticated protected channels for communications and methods to restrict the context of an authenticator’s use. For example, this may be achieved through name binding – where an authenticator is only valid for a specific domain (I can only use this for one website). It may also be achieved through binding to a communication channel – such as in client authenticated TLS (I can only use this over a specific connection).
  • Attacker-in-the Middle - Phishing resistant authenticators prevent an attacker-in-the-middle from capturing authentication data from the user and relaying it to the relying website. This is achieved through cryptographic measures, such as leveraging an authenticated protected channel for the exchange of information and digitally signing authentication data and messages.
  • User Entry – Phishing resistant authenticators eliminate the need for a user to type or manually input authentication data over the internet. This is achieved through the use of cryptographic keys for authentication that are unlocked locally through a biometric or pin. No user entered information is exchanged between the relying website and the authenticator itself.
  • Replay – Phishing resistant authenticators prevent attackers from using captured authentication data at a later point in time. Supporting cryptographic controls for restricting context and to prevent attacker-in-the-middle scenarios are also preventative of replay attacks, particularly digitally signed and time-stamped authentication and message data.

As complicated as this may seem, there are several practical examples of phishing resistant authenticators in place today. For U.S. federal employees, the most ubiquitous form of phishing resistant authenticator is the Personal Identity Verification (PIV) card; they leverage public-key cryptography to protect authentication events. Commercially, FIDO authenticators paired with W3C’s Web Authentication API are the most common form of phishing resistant authenticators widely available today. These can take the form of separate hardware keys or be embedded directly into platforms (for example your phone or laptop). Availability, practicality, and security of these “platform authenticators” increasingly puts strong, phishing resistant authenticators into user’s hands without the need for additional form factors or dongles.

Not every transaction requires phishing resistant authenticators. However, for applications that protect sensitive information (such as health information or confidential client data) or for users that have elevated privileges (such as admins or security personnel) organizations should be enforcing, or at least offering, phishing resistant authenticators. Individuals should explore the security settings for their more sensitive online accounts to see if phishing resistant authenticators are available and make use of them if they are. In reality, these tools are often easier, faster, and more convenient than the MFA – such as SMS text codes – they may currently be using.

In the end, phishing resistant authenticators are a critical tool in personal and enterprise security that should be embraced and adopted. They are not, however, a silver bullet. Phishing resistant authenticators only address one focus of phishing attacks – the compromise and re-use of authenticators such as passwords and one-time passcodes. They do not mitigate phishing attempts that may have alternative goals such as installing malware or compromising personal information to be used elsewhere. Phishing resistant authenticators should be paired with a comprehensive phishing prevention program that includes user awareness and training, email protection controls, data loss prevention tools, and network security capabilities.

For more information on phishing resistant authenticators, please read and comment on our Draft Fourth Revision of NIST SP 800-63, Digital Identity Guidelines by 11:59pm on Friday, March 24, 2023.

Also, check out our Phish Scale and Protecting Your Small Business: Phishing videos!


Citations:

1. Acheampong, I.K. June 2019. The State of Phishing Attack Vector. OWASP Ghana Chapter. https://owasp.org/www-chapter-ghana/assets/slides/Phishing_Presentation(OWASP_Ghana).pdf

About the author

Andrew Regenscheid

Andrew Regenscheid is a project lead for applied cryptography within the Computer Security Division at NIST. In his 15 years as part of the Cryptographic Technology Group, Andrew has worked to apply cryptographic algorithms and tools to improve the security of computer platforms, communication protocols, and authentication mechanisms. As the technical lead for the Personal Identity Verification standards program, Andrew is responsible for developing identity management standards and technical guidelines for federal government employees and contractors, while also contributing to NIST’s broader portfolio of digital identity guidance as a coauthor of NIST SP 800-63. 

Ryan Galluzzo

Ryan is the Digital Identity Program Lead for the Applied Cybersecurity Division at the National Institute of Standards and Technology (NIST). In this role he coordinates digital identity projects, initiatives, and efforts to advance NIST’s standards & guidance and drive foundational research to promote innovation in digital identity. He has contributed to multiple NIST Special Publications including NIST SP 800-63 Digital Identity Guidelines. Prior to joining NIST, Ryan was a Specialist Leader at Deloitte & Touche where he spent over 10 years providing cybersecurity and identity management subject-matter insights to multiple federal agencies, including the Internal Revenue Service (IRS), the General Services Administration (GSA), and NIST.

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.