Phishing attacks are one of the most common cyber attacks, making up 80% of reported incidents this year, with 43% of UK SMBs being targeted last year.
Many people assume that they would be able to spot phishing attacks, and while there are some things to look out for, none of them are 100% accurate. Phishing attacks are cheap to carry out, and often very sophisticated, replicating emails from trusted people or brands almost perfectly.
The majority of Phishing attacks have a simple goal - Have you enter your login details, which the attacker can then use to compromise your account, your computer, or sometimes even your whole network. There are common ways to mitigate this, through more advanced email security, education and training programs, or MFA - However none of these are 100% effective at stopping these types of phishing attacks.
There is however a tool which has been tested in large organisations and proven to be 100% effective against this type of attack, the Security Key.
In 2017, Google rolled out the use of Security Keys to 85,000+ employees, and in 2018, reported that there had been 0 successful account takeovers since rolling out the technology.
Now in 2020, the technology has become much more widely adopted, supported by many online platforms and browsers, even to login to your Windows computer.
So, how does it work?
When most people think of MFA or 2FA, they think of text message codes, or looking on an app on their phone to type in a security code, however that's not what Multi-Factor actually means.
There are three factors you can use to prove you are who you say you are;
Something You Know (Passwords, Pin codes)
Something You Are (Fingerprints, Iris scans, facial recognition)
Something You Have (A security key, mobile phone with an app)
Multi-Factor simply means using multiple factors to be absolutely sure you are who you say you are, however, not all methods of providing these factors are equal.
For example, everyone knows that "Password123" is a bad password, but similarly you can have bad MFA. For instance, SMS based authentication codes can be stolen by "SIM Swapping", where your mobile number is transferred to another device, which is a very common attack. Even app based authentication codes have a fault however - In a phishing attack, the attacker can simply fake the login screen asking for the codes, and behind the scenes use them to login to your account immediately.
This is where security keys come in. Security keys are a hardware "key", that you plug into your phone or computer (although both NFC and Bluetooth versions are available), and tap when prompted.
In the background, the website sends a request to your computer, and through to the key, which is encrypted with a unique password. If the request doesn't match the copy stored on the key, then the key knows that the request was faked. If the request was correct, the key waits for you to touch a part of the key or push a button, this confirms that you are present at the computer. Next, the key takes the request and re-encrypts it with a unique password, only stored on the key. That gets sent back to the website, which confirms it matches a stored copy, confirming you have that specific key.
This is all very complicated, but from your point of view, you push a button, and you're logged in, with no possibility of entering your password into the wrong site, or giving up credentials to a phishing attack.