Strengthening the Security of Consumer Authentication through Phishing-Resistant Multi-Factor Authentication
Publication Date: June 2024
Executive Summary
This white paper highlights the challenges of traditional authentication methods, especially the vulnerabilities of passwords to phishing attacks. Phishing has become a major security threat in the U.S., reported as the number one fraud crime in 2022, and has prompted a requirement for all U.S. Federal agencies to implement phishing-resistant multi-factor authentication (MFA) by 2024.
While common MFA approaches (e.g., one-time passcodes) may thwart some phishing attacks, fraudsters use schemes to bypass MFA and gain access to user accounts. The white paper discusses various phishing-based MFA bypass schemes, such as social engineering, one-time-password (OTP) relay, and the use of bots and phishing kits, that payments industry stakeholders have experienced. Generative artificial intelligence (AI) is further altering the payments fraud landscape, providing new tools for fraud perpetrators.
Payments industry stakeholders are advised to implement countermeasures that can detect fraud, including monitoring user activity and educating customers. In addition, businesses are encouraged to implement some type of MFA in the short term – even if only OTP or push-based notifications – while developing a longer-term strategy. Mitigation tactics for financial institutions and merchants include monitoring customer activity, complying with the Payment Card Industry Data Security Standard (PCI DSS), educating the customer so that they maintain their vigilance to phishing, and using machine learning to identify suspicious actor behavior.
The ultimate goal is to support a phishing-resistant MFA solution, for example using FIDO2 specifications. These specifications use device-bound keys and eliminate the need for passwords, making authentication more secure. Standards and specifications that are being developed to promote global interoperability are at the forefront of emerging technologies that relate to the next generation of multi-factor authentication and identity in general.
The white paper concludes by highlighting the importance for all payments industry stakeholders to understand evolving authentication methods and implement emerging standards for improved security.
Please note: The information and materials available on this web page (“Information”) is provided solely for convenience and does not constitute legal or technical advice. All representations or warranties, express or implied, are expressly disclaimed, including without limitation, implied warranties of merchantability or fitness for a particular purpose and all warranties regarding accuracy, completeness, adequacy, results, title and non-infringement. All Information is limited to the scenarios, stakeholders and other matters specified, and should be considered in light of applicable laws, regulations, industry rules and requirements, facts, circumstances and other relevant factors. None of the Information should be interpreted or construed to require or promote the establishment of any solution, practice, configuration, rule, requirement or specification inconsistent with applicable legal requirements, any of which requirements may change over time. The U.S. Payments Forum assumes no responsibility to support, maintain or update the Information, regardless of any such change. Use of or reliance on the Information is at the user’s sole risk, and users are strongly encouraged to consult with their respective payment networks, acquirers, processors, vendors and appropriately qualified technical and legal experts prior to all implementation decisions.