The most targeted companies choose phishing-resistant MFA

Research by Okta Security found that organizations targeted by prolific threat actors almost always enroll their users in phishing-resistant methods of sign-in. Given the low cost and complexity of moving users to stronger authenticators, why wait to be targeted?

Okta research has found that while the rate of growth in MFA adoption is slowing, the use of phishing-resistant MFA methods like Okta FastPass and FIDO2 is booming.

On the whole, Okta customers are enthusiastic adopters of multifactor authentication. As of January 2024, Okta's Secure Sign-In Trends Report 2024found that 91% of Okta administrators and 66% of Okta workforce users signed-in to applications using MFA.

The fastest growing factor in workforce identity was Okta FastPass, which grew from 2% in 2023 to 6% in 2024 for all Okta users, and from 5% to 13% for Okta administrative users over the past year according to our Secure Sign-In Trends report. That's millions of users that are now living the passwordless dream. Over 5% of users on the Okta platform signed in more than once using phishing-resistant, passwordless authenticators, and never needed to enter a password!

The data suggests that the MFA world is split between the security "haves" and "have nots". Why is such a sizable number of customers embracing phishing resistance for all users, while the vast remainder of organizations continue to use passwords and OTPs?

This year, Okta Security embarked on a separate study to uncover some of the reasons why FastPass and FIDO2 are growingat a substantially faster rate than any other sign-in method.

We know empirically that these sign-in methods are more convenient for users: FastPass can be configured to offer a possession and inherence factor in under 4 seconds, which is several times faster than combining passwords with OTP-based challenges. We also know that many regulators and advisory bodies - such as the US Cyber Security and Infrastructure Security Agency (CISA)and the Australian Cyber Security Centre (ACSC)- now recommend phishing-resistant MFA for organizations that want to demonstrate their commitment to a mature security program.

Okta Security set out to discover whether exposure to prolific adversaries might also play a role in increased adoption of phishing resistant factors. Okta is uniquely positioned to provide this insight:

• We have a strong baseline of data given multiple years of collecting anonymized MFA adoption rates across the Okta Workforce Identity Cloud, which is published annually in the Okta Secure Sign-In Trends report;
• We have reliable methods for clustering and attributing phishing campaigns to specific attackers. Every day Okta Security notifies numerous customers when we observe phishing infrastructure being stood up that emulates their sign-in pages. We have sent thousands of notifications to date, and close to 600 in the last three months alone.

With this data at hand, we can take a statistically significant group of customers we know to have been targeted by a specific threat actor, and compare their rates of user enrolment in phishing resistant authenticators before and after they were first targeted. We can also compare these rates to enrolment rates observed across the entire workforce identity cloud service. Our hypothesis was that the more frequently attacked and battle-hardened organizations would choose stronger authenticators over time.

We chose to zero in on Scatter Swine for our study. Scatter Swine is Okta's original 2022 designation for a prolific threat actor and a subset of a broader group of individuals other organizations identify as Scattered Spider, Muddled Libra and Octo Tempest. These attackers operate with a relentless volume of campaigns once they lock onto a target, often registering multiple domains and targeting dozens or even hundreds of staff with SMS phishing messages.

Our research studied 35 organizations we know to have been targeted by this group between 2022 and early 2024, measuring the rate of adoption of phishing resistant factors from prior to the day they were first notified by Okta of an impending attack, and March 2024.

The results:

Our hypothesis was largely correct.

The median enrolment rate in phishing resistant factors at these organizations was already 23%, which was over twice the rate of the average Okta customer. Many of the organizations were modern technology companies that tend to require stronger security controls in the first place.

Once organizations become aware they are being actively targeted, the median enrollment rate for these strong authenticators jumped from 23% to 95%. The vast majority moved from protecting a handful of privileged users with FIDO2 authentication, to enrolling every user in more than one phishing resistant authenticator. In many organizations, FIDO2 hardware security keys were maintained for recovery keys even as the organization enrolled 100% of its users in Okta FastPass.

What else sets these highly targeted organizations apart from their peers?

• They are far more likely to ingest their authentication logs in real-time using Log Streaming, which strongly suggests an active monitoring of this telemetry;
• They are far more likely to automate their identity processes, with a higher than average number of Okta Workflows (no-code automations)
• They are more likely to turn on basic protections available in Okta, such as ThreatInsight (which protects against high-volume attacks).

So why wait to be targeted? Attackers now have ready access to tools that can bypass most basic forms of MFA on an "as a service" basis, driving higher volumes of more effective phishing campaigns.

In this environment, we believe that all organizations need to embrace phishing-resistant authentication. Our data suggests that passwordless, phishing resistant auth can be deployed at speed, and that it drives an immediate reduction in risk.

The best feedback we've received from customers is that after enforcing phishing resistance, there are entire categories of attack they no longer concern themselves with.

Learn more about common phishing methods, tactics, and targets and how to detect and prevent attacks in our ultimate guide to phishing prevention.

Public link

Please use the above public link if you want to share this noodl on another website.