Workers wise up to phishing, but you still need 2FA for business accounts

Phishing attacks won't disappear any time soon, but an analysis by enterprise authentication firm, Duo, suggests security awareness training is very effective at stopping attacks that two-factor authentication cannot. 

Gullible employees are said to be the weakest and most unfixable link in a network, but an analysis by Duo — a Cisco-owned security firm — has shown that training can make a difference, at least in simulated phishing attacks. 

The company found that phishing awareness training sessions made notable differences in the results of tests between 2017 and 2019. 

In 2017, 65 percent of the campaigns resulted in at least one user coughing up a credential, whereas in 2019 only 47 percent of the campaigns resulted in at least one credential. 

Of course, these numbers aren’t guaranteed to reflect real world security, and were released in support of the firm’s suggestion that its training does work. Duo, like other security firms, provides security awareness and phishing training that aims to reduce employees’ tendency to click links.

It also provides Duo Push, a smartphone-based two-factor authentication (2FA) system. 2FA is touted by Google, Microsoft and others as the best answer to phishing attacks. However, 2FA only addresses the credential theft part of the risk.

“There are two ways of defending against phishing: one is social and the other is technological. If the purpose is to get credentials, implementing two-factor authentication causes phishers to stop trying,” Wendy Nather, head of advisory CISOs at Duo, told CSO Online. 

The benefits of deterring phishing attackers simply by enabling 2FA has other benefits too. If the attacks stop, admins can work with a smaller list of blocked phishing domains. 

But, phishing attackers aiming to trick a victim to install malware, won't be blocked by a 2FA system. 

"It isn’t going to protect against that,” said Nather. 

Duo revealed the figures in its 2019 Trusted Access Report, which is based on an analysis of 24 million devices and half a billion monthly sign-ins. 

The company also revealed a few tidbits about Windows 10, browser usage trends, and how much different browsers lag in security updates.

Google Chrome is now the most widely used browser in business. The report doesn’t break down the exact share Chrome had, but notes it grew 8 percent over the past year, while Microsoft’s legacy Internet Explorer browser declined 11.3 percent. The soon-to-be Chromium-based Microsoft Edge browser grew 1 percent. 

Duo also reports a rise in usage of devices that rely on biometric sensors, such as Apple’s iPhone Face ID and Touch ID and Google’s equivalent on Android. 

In the enterprise, 77 percent of devices are configured with biometrics sensors enabled. It’s up from 68 percent four years ago, suggesting a steady rise in biometric adoption, no doubt propelled by iPhone authentication innovations. 

Duo’s report says the trend is “heralding that people are relying less on passwords and the passwordless future may be closer than you think.”

But the report also suggests that passwords are here to stay, as flawed as they are are. 

Nather said the benefit of WebAuthn -- a standard that Microsoft bases its Windows 10 "passwordless" claims upon -- isn’t just about killing passwords, but improved security that doesn't create extra obstacles. 

WebAuthn is about creating an authentication framework that helps websites cryptographically prove that the person attempting to log into an account is the right person, based on their physical access to a device.

“A lot of people see [WebAuthn] as a great alternative. Again it has to do with cryptography-based authentication. WebAuthn allows you do this with a secure enclave on your phone or hardware module on your laptop. This is something we couldn’t do previously using cryptography because there was too much burden on the user to manage it," said Nather.  

"Now, with a cryptographic module, where the user doesn’t have to mess with it, they can authenticate to a module within their device, and after that authentication happens, it’s done without their involvement.”