MFA Rezistente ndaj Phishing-ut

I Avancuar 14 min Inxhinieria Sociale

Hyrje

Multi-factor authentication (MFA) is one of the most effective controls against phishing, but not every MFA method is equal.

Teoria

SMS codes and TOTP authenticator apps both stop pure credential theft, but they can still be phished in real time. A sophisticated attacker uses a reverse-proxy kit like Evilginx or Modlishka that places a phishing page between the victim and the real service: when the victim enters their password and one-time code, the proxy forwards both to the legitimate site and captures the resulting session cookie, giving the attacker full access. This class of attack is called adversary-in-the-middle (AiTM) and has been used in multiple documented incidents against Microsoft 365 tenants. Phishing-resistant MFA means the second factor is bound to the origin and cannot be proxied. WebAuthn (passkeys) and FIDO2 hardware tokens like YubiKey achieve this: the authenticator cryptographically signs a challenge that includes the real site's origin, so if the victim is on a phishing domain the signature does not match and the login fails. Smart cards with client certificates offer similar guarantees and are standard in government and high-security environments. For organizations, the minimum bar for administrators and privileged users in 2024 should be a FIDO2 token or passkey. For general users, TOTP is better than SMS but should be upgraded to WebAuthn when possible. Every incident response report in the last two years has a line that says "if they had enforced phishing-resistant MFA, this would not have happened."

Mjetet

Faktorët e dytë të rezistuar ndaj phishing:

  • FIDO2 / WebAuthn (YubiKey, Titan Key, passkeys).
  • Smart cards (PIV, CAC).
  • Push notifications me number matching (Microsoft Authenticator, Duo).

Faktorët jo-rezistent: SMS OTP, TOTP i thjeshtë (Google Authenticator pa number matching), email.

Praktika

Aktivizim i passkey në një aplikacion PHP:

// Me bibliotekën web-auth/webauthn-lib
$server = new Webauthn\Server($rpEntity, $repository);
$options = $server->generatePublicKeyCredentialCreationOptions($user);
// Dërgo te klienti → navigator.credentials.create({publicKey: options})

Ushtrime

  1. Konfiguro passkey në një llogari Google / Microsoft personale dhe testo login.
  2. Shpjego pse SMS OTP është i thyeshëm nga SIM swap.

Burime

  • FIDO Alliance docs.
  • NIST SP 800-63B — AAL3.

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re