Tackling the human element in modern authentication: the phishing-resistant user

As cyber attacks intensify in frequency and sophistication, the human side of security remains crucial — yet is often the weakest link. Over the past five years, there has been an exponential increase in cyber attacks, with many breaches executed not through high-tech hacking methods but via stolen login credentials and the exploitation of human error. The human factor has emerged as a predominant cause of cyber vulnerability, underlining the necessity for robust cybersecurity strategies focused on tackling the challenges and vulnerabilities that will always come with human error.

According to the Verizon Data Breach Investigations Report (DBIR), 81% of hacking-related breaches were facilitated by weak or stolen passwords. Furthermore, human-related factors contributed to 68% of these incidents. This trend has considerable financial implications, evidenced by a surge in cyber insurance rates, which have escalated by 200–300% on average. Such statistics highlight the urgent need for enhanced security measures that address technological weaknesses and human errors.

Australia’s cyber legislation and guidelines

The policymakers’ response has been strong in Australia. The Australian Government has revised the Security of Critical Infrastructure (SOCI) Act, introducing four enhanced cybersecurity obligations to strengthen the nation’s critical infrastructure. It has also expanded the number of industries regarded as critical infrastructure to 11.

Meanwhile, the Australian Cyber Security Centre (ACSC) has revised its Essential Eight Maturity Model. The model now mandates phishing-resistant multi-factor authentication (MFA) at its second and third maturity levels. This form of authentication relies on possession-based methods, where the private keys are securely stored on a device controlled by the user, thus eliminating shared secrets that can be easily compromised. The model also emphasises the importance of recognising the parties involved in transactions and understanding user intent to ensure only actions based on recognised authentication requests are taken.

Human elements of modern authentication

To combat human-centric vulnerabilities, modern authentication strategies incorporate several key elements that are important to understand:

• Knowledge and familiarity: Ensuring users are aware of and familiar with the security processes.
• Simplicity: Making systems easy to use to reduce the risk of user error.
• Presence and vigilance: Requiring the physical presence of a user for authentication and encouraging constant vigilance for suspicious activities.
• Trust and biometrics: Leveraging biometric technologies to strengthen trust and security measures.
• Touch and user intent: Recognising the user’s physical interaction and intent can help distinguish legitimate actions from fraudulent ones.
   

These key human elements are crucial in designing security measures that are inherently secure yet user-friendly, representing an ongoing evolution in cybersecurity strategies.

Recognising the gravity of the threat of the human impact on security, security strategists are increasingly moving from a reactive to a proactive stance. A significant aspect of this strategic shift is adopting the zero trust framework, which distrusts all entities by default, regardless of their network presence. This approach is rapidly becoming standard in cybersecurity protocols, aiming to fortify defences comprehensively.

The growing adoption of passkeys marks a significant evolution in the digital security landscape, with major technology and e-commerce companies at the forefront of this movement. Passkeys represent a paradigm shift towards more secure, multi-factor and passwordless authentication systems that enhance user convenience while bolstering security.

The adoption of passkeys also addresses some of the fundamental weaknesses of passwords, including their susceptibility to being forgotten, stolen or compromised. Since passkeys do not involve the memorisation of complex strings of characters and are inherently resistant to phishing attempts, they offer a significantly safer alternative. Users no longer face the risks associated with password reuse across multiple sites, a common practice that can lead to widespread security vulnerabilities if one site is compromised.

For Australian organisations, the implementation of passkeys should begin with addressing easily manageable challenges, promoting the benefits to users, such as eliminating the need for passwords, and simplifying the adoption process through clear policies and comprehensive cybersecurity training.

Phishing-resistant users

As highlighted in the Essential Eight mentioned previously, organisations are increasingly adopting phishing-resistant MFA solutions like passkeys to curb the rising tide of phishing attacks. This strong authentication method has been proven effective in preventing phishing attacks while reducing the burden on users to make the right decisions during phishing attempts.

With recent advancements in passwordless — and new on-device authentication — solutions, the way an organisation can establish and manage a user’s identity credential throughout its lifecycle has evolved to address these increasing challenges. In order to truly prevent phishing attacks, organisations must do more than just invest in phishing-resistant authentication — they must instead focus on developing phishing-resistant users.

Given that users often move across platforms (ie, Apple, Google, Microsoft), devices (smartphones, laptops, tablets) and between personal and corporate apps and services in the course of their day, many conventional authentication techniques are inherently phishable. And organisations often temporarily default to phishable user registration, and account recovery methods when a user is first being onboarded or when their device is lost or stolen, creating convenient points in time for a phishing attack to take hold. This piecemeal approach to authentication exacerbates the challenge for enterprises in consistently safeguarding their systems and data, and even staying in compliance.

The only effective approach to removing phishing from an organisation’s threat landscape is to ensure that every user and process within the organisation becomes phishing-resistant. Secure authentication that moves with users across all devices, platforms and services no matter how they work is not a luxury, but a necessity in today’s fast-moving digital landscape. Phishing resistance in registration, authentication and recovery processes are mandatory for cultivating phishing-resistant users.

Conclusion

Integrating human-centric cybersecurity strategies is not merely an option but a necessity in today’s threat landscape. Cybersecurity strategies become more robust and effective by enhancing technological defences with an understanding of human psychology and behaviour. Organisations must, therefore, continue innovating and adapting, ensuring that security measures are user-friendly and inclusive, enhancing protection through everyday user actions and decisions.

As we progress into an increasingly interconnected world, the human element of authentication and security remains more pivotal than ever, serving as both a potential vulnerability and a powerful ally in the ongoing battle against cyber threats.

*Geoff Schomburgk is responsible for driving the Yubico business across the Asia Pacific and Japan (APJ) region, working with partners and enterprise customers to implement modern phishing-resistant authentication. He is an experienced senior executive with a background in engineering and strategy consulting and over 30 years’ experience in the global ICT industry. Geoff has a Bachelor of Engineering (Honours) and MBA and is also a qualified Company Director (FAICD).

Top image credit: iStock.com/Andreus