Implementing phishing-resistant MFA: Our data-driven approach

Traditional multi-factor authentication methods typically rely on a combination of factors: something the user knows (such as a password), something they have (like a code sent via SMS), or something they are (such as a fingerprint). Phishing-resistant MFA goes far beyond the capabilities of traditional MFA. It is a highly secure authentication method that uses multiple layers of protection to ensure enhanced security. It is immune to phishing attacks and responds only to valid requests from known and trusted parties. This approach involves a strong, trusted relationship through cryptographic registration. This type of MFA uses authentication methods such as fingerprint, face recognition, a PIN, or hardware security keys.

As a distributed, remote-first organization with a workforce spanning thousands of employees worldwide, we acknowledged the profound implications of deploying Phishing-resistant MFA, changing how our employees come to work. But with phishing attacks becoming more complex, we also knew how critical it was to make the switch. Below, we’ll share the steps we took to deploy Phishing-resistant MFA for Elastic® employees and the outcome we achieved.

Phishing attacks have grown remarkably sophisticated. Cyber attackers no longer need to spoof websites to engage in credential phishing; now, they can steal user sessions while showing the user a perfectly legitimate site. It all starts with phishing campaigns where attackers trick users into navigating to a proxy site. When users enter their credentials, the proxy site acts as an intermediary, passing the requests and responses between the user and the real website. Things will proceed normally: the legitimate website prompts for MFA verification, the user will enter the additional details as normal, then the website responds with a session cookie, and the user is logged in. 

To the user, this all looks normal, but the malicious actor has access to the full session, including the session cookie sent by the legitimate site after the MFA was completed. Once an account is compromised, the attacker can attempt to move laterally, evade detection, and pivot throughout the environment to elevate privileges.

Because Elastic’s employee base is distributed by design and utilizes many SaaS applications, MFA is the primary layer of protection for many Elastic assets. We removed the option to authenticate with SMS some time ago. Still, up until recently we relied heavily on push notifications, mobile authenticators, and time-based one-time passwords (TOTP), with relatively low adoption of FIDO2 authentication factors resistant to these modern, proxy-based attacks.

Click rates for phishing are estimated to increase year over year depending on the industry and the source of the research (more information on Statista). As a member of our InfoSec team, we know that Elastic has a very engaged and security-conscious employee base, but we are also realistic. When a campaign can target hundreds or thousands of users at a time or make use of highly targeted lures, somebody will always click. 

We also believe that if our security model fails because somebody clicked a link, that’s on us as a security team.

Between security assessments, industry suggestions, and the lowering barrier of entry for cybercriminals, the Information Security (InfoSec) team decided to adapt our approach to Phishing-resistant MFA urgently. We decided to move to phishing-resistant MFA as a necessary next step to protect our end users from sophisticated phishing attempts. For a long time, our end users bore the responsibility of protecting their accounts and, with proxy-based attackers in the middle, the only way for a user to identify an attempt to steal their session in this way was to notice a change in the URL. With phishing-resistant MFA, our goal was to shift that dynamic, lifting the burden off our end users and placing it on robust authentication protocols like Fast Identity Online (FIDO). 

FIDO authentication operates on the premise of employing a distinct set of keys for each user and website. Upon user registration, a unique key pair is generated, consisting of a public key known to the site and a private key securely stored on the user's device. During authentication, the site issues a challenge, and the user's device verifies if the site's identity and domain align with the initial registration. If there's a mismatch, authentication fails, acting as a reliable safeguard against these attacks.

The scope of this effort was extensive — covering all our employees and contractors — with a unique set of challenges. Despite the challenges, we successfully implemented Phishing-resistant MFA across our entire organization within three months. A major factor in this achievement was a dedicated emphasis on data.

Multi-factor authentication alone is no longer sufficient to protect user accounts against threats. Our team firmly believes that a data-driven, real-time approach that is scalable and user-centered can effectively address these challenges. By harnessing the power of Elastic for automation and keeping data at the forefront, we were able to introduce phishing-resistant multi-factor authentication across our entire organization in just three months. With buy-in from the executive team, this approach dramatically reduced our exposure to the ever-changing threat landscape. We hope that our success story will inspire you to embrace these innovative solutions to achieve your security goals.

Learn how our customers have used Elastic Security to protect their businesses against cyber threats.