We've recently seen big attacks play out on prominent technology companies despite their use of smartphone-based multi-factor authentication. These attacks are real, they do happen, and it appears that even the smartphone cannot protect us anymore.
While this conclusion may be tempting, it actually misses the point. The point is not that smartphones are insecure, but rather the way we are currently using phones as authenticators is vulnerable. SMS and simple push notifications are not sufficient anymore because they can easily be phished. Hackers have made that clear to us.
As we explored in a previous blog, our very best bet to stop phishing attacks is to jump headfirst into the new WebAuthn/FIDO2 standards for strong cryptographic authentication. But does this mean we should give up on our smartphones?
Phones often get a bad rap as "insecure" devices. They're internet connected, they have Bluetooth, they run tons of third-party software, and they're always on. Many hardware token vendors would like you to believe that you are supposed to give up on phones and ask everyone to start carrying around a new dedicated "secure" dongle. It's not as simple as it seems.
Before you spend a small fortune deploying hardware tokens in your organization, consider the major flaws. It is not actually a given that these dongles are secure. They're not nearly as battle-tested as iPhones and Androids. Their scale is limited to millions, or in some cases, only hundreds of thousands. When the security of these devices fail, there's no way to release a software patch to fix it; you'll need to physically replace these devices. This is not a theoretical problem, it's already happened. Companies like Yubico issued free device replacements, and 750,000 Estonian national ID cards were rendered obsolete. Even if these dongles actually guaranteed more security, they are much easier to lose. If you lose one, it might take you days or weeks to realize it.
While it is true that phones have a larger attack surface area, it's more important to realize that mobile operating systems are some of the most secure programs we use every day. Apps are sandboxed from one another; Google and Apple frequently release security patches; and most iPhone and Android devices not only have biometric authentication, they also have built-in secure cryptographic coprocessor chips (sometimes called secure enclaves or secure elements) that are not too different from what you might find in one these secure dongles. However, the main security advantage in choosing smartphones is that we can stand on the shoulders of giants: iPhone and Android operating systems are constantly patched and improved by the best in the industry. These are the experts that are responsible for the security of billions of devices across the planet. And everyone already has one of these devices in their pocket.
The best solution would be to combine the two. The concept is to take the best parts of the WebAuthn/FIDO2 standards and combine them with a roaming smartphone authenticator: a rich user experience, cryptographically secure hardware, and an endless stream of security patches by some of the best cryptographers and security teams in the world. This concept will be further explored in our next post.
To learn more about Akamai's phish-proof MFA solution, visit akamai.com/mfa.