How to Stop Phishing

Require WebAuthn

If you’re serious about stopping phishing, you need to insist on the use of WebAuthn as a second factor for all human access to your systems, especially SSO.

CloudFlare stopped the previously mentioned 0ktapus campaign using the predecessor to WebAuthn called Universal Second Factor (U2F)1

WebAuthn is gaining traction and being touted as the beginning of a passwordless future2. In reality, operational challenges & standardization across vendors means WebAuthn is currently best used in combination with a password. If a password is phished, the WebAuthn second factor should stop the attacker gaining access.

Using WebAuthn as a second factor is good enough, you don’t need to go full “passwordless” to benefit

Although often used with biometrics, WebAuthn does not require their use. You can go completely phishing-resistant without them.

References

  1. The Mechanics of a Sophisticated Phishing Scam and How We Stopped It, accessed May 2023
  2. WebAuthn Guide, accessed May 2023

Updated on 13 Jan 2024