Tesseral
Back to Guides

Unphishable MFA explained: what unphishable MFA is and how to use it

Ned O'Leary
Ned O'Leary
Cofounder and CEO, Tesseral

TL;DR: What is unphishable MFA?

Authentication in software essentially just means you're confirming a user's identity. Multi-factor authentication (MFA) means you're using more than one piece of information to confirm the user's identity.

When we talk about unphishable MFA, we're just talking about variants of multi-factor authentication that are resilient to phishing attacks. Major examples include passkeys.

Why do we need unphishable MFA?

Phishing is a problem. No, it's not just for dummies.

Smart companies fall for phishing scams.

This is Evaldas Rimasauskas in custody.

phishing-evaldas

You might be wondering what he did to get arrested.

Well, in 2019, the US District Attorney for the Southern District of New York outlined exactly what Evaldas Rimasauskas did once he'd been sentenced to five years in prison. Here's an excerpt from their news release:

From at least in or around 2013 through in or about 2015, RIMASAUSKAS orchestrated a fraudulent scheme designed to deceive the Victim Companies, including a multinational technology company and a multinational online social media company, into wiring funds to bank accounts controlled by RIMASAUSKAS.

The release continues:

Through these false and deceptive representations over the course of the scheme, RIMASAUSKAS, the defendant, caused the Victim Companies to transfer a total of over $120,000,000 in U.S. currency from the Victim Companies’ bank accounts to Company-2’s bank accounts.

Yeah. That's $120,000,000. And if you're wondering what the "Victim Companies" are, it's not really a secret. They were Facebook and Google.

The scam was really simple. Rimasauskas just forged emails and invoiced purporting to originate from Quanta Computer, a real Taiwanese company that really does business with Facebook and Google. He just mixed the fake invoices in with real ones and convinced Facebook and Google employees that routinely processed multimillion-dollar payments to send him money.

Phishing scams like this can be extremely lucrative. That gives attackers abundant incentive to do their homework. Rimasauskas's scam wasn't built on wild technical sophistication -- just simple fraud. In some ways, that's the brilliance of the thing. His scam was so simple as to blend in with the banality of Facebook and Google employees' regular workstreams.

This stuff actually happens. It's a real security problem.

Phishing is everywhere, and it's getting stronger.

Phishing attacks happen all the time. There's an oft-cited statistic that billions of phishing emails get sent every day. I've not personally been able to track down the original analysis for that number, but we can nonetheless appreciate that it seems plausible to people working in IT and security. That's pretty telling.

You can check out some detailed analysis from Verizon, but it suffices to recognize that phishing is one of the main access vectors for pretty much all varieties of cybercrime. And again, these scams aren't just orchestrated by fools. The stakes are high, as the Rimasauskas anecdote illustrates. A good chunk of cybercrime now originates from state actors like North Korea.

Attackers are getting more creative, more resourceful. Crowdstrike reports that voice-based phishing attacks increased by 442% from the first to the second half of 2024. FINRA, an American financial regulator, now explicitly warns institutions about phishing that uses generative AI tools (think: deepfakes).

It's not just about typo-riddled emails anymore. Phishing is a real issue.

Conventional MFA methods aren't good enough

All multi-factor authentication (MFA) is worth something. It is always better to use some form of MFA when the alternative is ... just not using MFA. Please do not interpret any of the following as a reason not to implement (or require) MFA from users.

That being said, many of the prevailing techniques for MFA are vulnerable.

Vulnerability of SMS MFA

Most of us have used SMS (i.e., text messages) for multi-factor authentication before. It's the first form of MFA I can personally remember using. It goes something like this: you enter the correct password for a website; the website messages a short-lived secret code to your mobile phone; you enter the code to prove your access to the phone.

unphishable-sms-mfa

Well, SMS MFA isn't that secure, it turns out. Attackers can use SIM-swapping techniques to bypass SMS-based MFA. A few years back, some attackers used SIM-swapping to steal $400M in cryptocurrency. This stuff happens pretty often. (Here again, the stakes are high enough for people to try!)

Of course, it's simpler just to trick people into revealing SMS MFA codes. Here's an example of a real text that a Reddit user got.

unphishable-sms-bypass

People wouldn't try this stuff if it didn't work.

Vulnerability of push notification MFA

It's a little less common than SMS-based MFA, but you might have seen push notifications used as multi-factor authenticaiton before. The idea is pretty similar. When you try to log in, you get a notification on a smartphone app. You just have to press Approve to confirm that you are in control of the phone.

It looks something like this:

unphishable-push-notification-mfa

This is an improvement over SMS, at least in the sense that you're no longer vulnerable to SIM-swapping.

However, you are vulnerable to MFA bombing. An attacker trying to access your account will just flood you with notifications. You'll just get a barrage of identical is this you messages from your smartphone app. Eventually, you might just hit Approve out of frustration -- or simply by accident.

This might be stupid, but it works. Back in 2022, a strange message popped up in Uber's slack channels.

I announce i am a hacker and uber has suffered a data breach.

Yeah. Turns out the attack went something like this, according to Uber:

  1. An external contractor for Uber got some malware onto their personal machine.
  2. The malware stole the contractor's Uber corporate login credentials, then sold them on the dark web.
  3. Another attacker purchased the login credentials.
  4. Upon trying to use the login credentials to access Uber's corporate environment, this attacker flooded the contractor with MFA push notifications.
  5. The contractor eventually accepted one of these notifications, granting access to the attacker.

Brutal.

Unphishable MFA: what are some options?

Hardware factors

You can use hardware like Yubikeys. These are basically hardware tokens that you can use with a variety of protocols, including WebAuthN. You might, for example, have a USB-C stick that you need to physically insert into your computer.

unphishable-yubikeys

I remember using hardware like this ages ago. I was interning at a pretty small credit union at the time. And all of our software was from the 1990s.

These can be a good solution in some cases, but it's not easy to get people actually using these. The simple truth is that most users already hate using SMS-based MFA. You really need some executive buy-in to bully people into doing something this inconvenient.

Biometric factors

On certain devices, you can set up biometric authentication factors. For example, on Mac OS machines, you can set up Touch ID. It's a pretty slick user experience.

unphishable-touchid

This is unphishable in the sense that you really do need your actual fingerprint to log in. That's pretty hard for an attacker to steal.

Unphishable MFA: how do you support it in SaaS?

If you're making business software, you might be wondering how you support unphishable authentication factors like Yubikeys or MacOS Touch ID. You want to protect your customers, but it's not obvious at first glance how you make it happen.

Thankfully, a lot of these authentication factors are wrapped up behind a standard called WebAuthN, sometimes colloquially known as passkeys. At the risk of oversimplifying things, if you support WebAuthN, you support unphishable MFA.

Okay, well how do you support WebAuthN, then? The particularities of WebAuthN are a little complex (and out of scope here, regrettably). If you're going to roll your own, you will just have to figure out how it works; that means you'll have to read the RFCs. There are some standards like OAuth that have pretty solid tooling in most programming ecosystems. Even SAML has a bunch of solid libraries! WebAuthN just isn't as mature, and so you won't find a ton of great resources out there.

If you just want an implementation done, you should consider using Tesseral. Tesseral is open source auth infrastructure for B2B SaaS. In just a few simple lines of code, you get a best-in-class auth and user management system that includes everything you'll need for any scale: from SAML to SCIM to RBAC. And yes, you get WebAuthN support too. It requires no extra code. You don't even need to know how the standard works. You just have to click a button in the Tesseral console.

About the Author
Ned O'Leary
Ned O'Leary
Cofounder and CEO, Tesseral
Ned is the cofounder and CEO of Tesseral. Previously he worked at Gem and the Boston Consulting Group. He writes about product design, identity, and access management. You can often find him at Baker Beach in San Francisco with his puppy, Fred.
Newsletter
Top Secret by Tesseral
Resources
Pricing
Docs
Blog
Security
Company
Terms of Use
Privacy Policy
Contact us
Schedule a Call
Social
GitHub
LinkedIn
X (Twitter)