Identity And Access Management

Ronnie Manning On Phishing-Resistant MFA And FIDO Adoption

Expert Insights interviews Ronnie Manning, Chief Marketing Officer at Yubico.


Identity-related risks, such as stolen credentials and phishing, are “growing at a much higher scale,” than ever before, Ronnie Manning, Chief Marketing Officer at Yubico tells Expert Insights. “But what’s interesting is that it’s not necessarily a piece of malware, or a piece of code… we’re seeing more traditional social engineering tactics to actually speak with the person. The individual themselves can be tricked into giving away the methodology, or the token, or the code to be able to get in.”

Manning has been at Yubico for ten years, seeing first the evolution of identity-related threats and the advancement of security keys and authentication protocols. Yubico is a global leader in secure access and authentication, known for the YubiKey, a hardware security key. Yubico has been a driving force insetting global standards to secure access for digital accounts and devices, and their multi-platform authentication solutions are used by millions of users worldwide. You can listen to our full interview with Manning on the Expert Insights Podcast.

The rise of sophisticated attacks aiming to trick users have made phishing-resistant multi-factor authentication (MFA) tools extremely important to protect accounts against compromise, Manning says. All too often, when it comes to phishing, the onus is put onto individuals to spot scams, particularly with companies investing in phishing awareness training tools. But to ensure protection, we need to take the onus off the individual and put better security controls around the account itself. 

An increasingly common phishing attack targets users with push notifications or text messages by asking the user to accept a login request they didn’t make. “If it’s a push attack, or MFA fatigue attack, my phone is ringing, and I’m getting sick of saying no, that eventually to get it to stop ringing and eventually I’ll hit yes just to get it to stop ringing! But little do I know I’m actually giving my code to someone who’s going to use it maliciously.”

Deploying FIDO In The Enterprise

 The FIDO2 authentication standard was developed and agreed by an alliance of technology providers, including Yubico, Microsoft, Google, and Apple. The protocol is designed to help protect consumer and enterprise accounts against compromise, and improve authentication usability for end-users, moving away from reliance on passwords alone as the way to secure accounts. 

“These modern authentication protocols that Yubico has co-created, put into FIDO2/WebAuthn, actually take the onus away from the individual making that decision, to put the security in the physical keys themselves. So, if someone is trying to get that information from me, they can’t, because it all resides on the YubiKey. That’s where the term ‘Phishing-Resistant MFA’ comes from,” Manning explains. 

YubiKeys offer a bridge to modern authentication processes, enabling organizations to roll out this phishing-resistant MFA technologies across their organization. This can go from typical OTP, all the way to modern FIDO2-based authentication. YubiKeys are designed to work across all tech stacks, from on-prem Active Directory to modern Azure in the cloud, so users can use the same key to access all of their accounts and services.

Hardware security keys are the most secure way to roll out phishing-resistant MFA Manning says. “Because it is a physical device that is not connected to the internet, you only use it when you need to authenticate. With a lot of FIDO-supporting application services, you can use it once, and then you stay trusted on that device. But [with a hardware token] if someone were to get my username and password, they would still need that physical key. It really is separating the authentication into the system, and having that physical device, just like a house or car key, that I need to get in there.”

The Momentum Towards Phishing-Resistant MFA

Two years ago, the Executive Order On Improving The Nation’s Cybersecurity recommended that any organization working in the public sector, or within that supply chain, needs to implement phishing-resistant multi-factor authentication as part of a move to Zero Trust Architecture. Two years later, the momentum towards this goal is continuing to build, Manning says. 

“In order to actively be able to do that, you have to be using multi-factor authentication that not only secures this mandate, but also is the best to secure these users identities, to put it in that framework. I continue to see this momentum grow, where the visibility and education over what is considered phishing-resistant – which is FIDO, which is smartcard…will just continue to grow.”

“I think this is totally an awareness thing as well. We just did some research that, more or less, is saying that people are aware there are vulnerabilities with SMS and OTP [verification]. However, they are still using it.” Yubico’s research found that nearly 74% of IT leaders are concerned about the security of SMS and push-based authentication, yet 91% are still relying on usernames and passwords as their primary form of authentication.

“So, the question is, why are they using it, when this technology exists that can actually better secure these organizations, while making a better user experience for their employees?”

You can listen to our full interview with Ronnie Manning on the Expert Insights Podcast. 

Listen on Spotify:

Listen on Apple Podcasts

About Expert Insights: 

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.