Enhancing University Security with a Phish-resistant MFA System

Enhancing University Security with a Phish-resistant MFA System

According to Sophos’ recent report, 64% of higher education organizations were hit by ransomware in the last year. It’s no wonder that the #1 issue in Educause’s 2022 Top 10 IT Issues was cybersecurity processes, preparedness, and skills. Security threats are evolving and higher education continues to be one of the industries targeted by bad actors.

It’s no longer enough to have multi-factor authentication in place, as bad actors have figured out the surest way to get past it—people. Human error continues to be the greatest threat to security, which is why it’s key to take people out of the equation as much as possible. A 2021 Security Intelligence report forecasted that ransoms could cost victims more than $200 billion by 2031. To stay a step ahead, institutions should implement a new feature: phish-resistant multi-factor authentication.

How is MFA Being Circumvented?

Multi-Factor Authentication (MFA) is an added layer of security to access accounts, devices, data, and systems. It has become the modern form of authentication, leaving the traditional username and password combination behind.

The most common and successful way to hack MFA solutions is through social engineering, where an attacker exploits the human side of the authentication process. Other basic attack methods include eavesdropping, man-in-the-middle attacks, weak verification between components, weak default configuration settings, physical attacks like copying fingerprints, and more.

Social Engineering and MFA Fatigue Attacks

One social engineering technique that has been proven to be successful is through MFA fatigue attacks, which were used in the most recent Uber breach. An MFA fatigue attack happens when an attacker steals login credentials and inundates a targeted victim with MFA push notifications sent via text, phone, or email, in hopes it will “fatigue” the user into accepting the request. This is often combined with a vishing attack when an attacker will call the targeted victim, impersonating someone for IT, to coerce the user into accepting the MFA request.

The success of these attacks hinges on people—your staff, faculty, and students. You can have the latest security features in place, but if your staff, faculty, and students don’t understand security basics, your institution is at risk.

How to Recognize MFA Phishing

So, what does this mean for institutions? As usual, education and awareness are key. You must stay extra vigilant and attentive to any suspicious activity on our devices.

Here are some best practices to follow – and share with your constituents:

  • Never approve a push notification unless you initiate it
  • Watch out for an endless wave of push notifications and don't approve any of the requests
  • Don’t talk to unknown people claiming to be from your company without confirming the identity of the individual and the legitimacy of the call
  • Never click on rogue links

Make the Switch to Phish-resistant MFA

Vigilance isn’t always enough, which is why experts have worked to create even better security features. Phish-resistant MFA technology is the newest to gain traction. In fact, US Cybersecurity & Infrastructure Security Agency recently issued guidance urging all organizations to implement it.

Phish-resistant MFA refers to an authentication process that is immune to attackers intercepting or even tricking users into revealing information. It is similar to traditional MFA, but people are removed from the equation, and hardware or devices are used to validate who you are. Phish-resistant MFA removes the concept of one-time passcodes that are usually sent via text. Instead, authentication almost entirely happens between your device and a website.

Setting up Phish-resistant MFA for Your University

There are two main types of phish-resistant MFA to explore—FIDO/WebAuthn and PKI-based MFA. Once you decide on which option is best, think about which implementation phases are most important for your institution. Look at the type of resources you want to protect and identify which users are more likely to be targets of an attack. For more guidance on implementing phish-resistant MFA, check out this fact sheet from the Cybersecurity & Infrastructure Security Agency.

Keep Your Institution’s Data Safe

Phishing attacks continue to present a major security risk to institutions across the world, especially to institutions rich with student data. And when the average cost to remediate higher education ransomware attacks is $1.42M, cybersecurity threats aren’t to be taken lightly. By implementing phish-resistant MFA and educating users on identifying phishing attempts, institutions can significantly reduce their risk of falling victim to these malicious attacks. Cybersecurity best practices are always changing. Make sure your institution is staying in the know and updating systems as needed. And if your institution isn’t in the cloud or on SaaS, it might be time to make the switch for the many security benefits they offer.

Educate faculty and staff by following the Essential Steps for Information Security Training.

Meet the authors
Jennifer Steele, Senior Director of Information Security, Ellucian
Jennifer Steele
Senior Director of Information Security
Read full bio
Products & Services Used
Ellucian Cloud
Topics
Business ContinuityCloudData Security

Stay Up To Speed

Get Ahead
Ellucian Cloud
Article

How to make the most of cloud security

10 questions to assess the strength of your information security plan
Article

10 questions to assess the strength of your information security plan

Ellucian Experience: Power meets personalization
Article

Benefits of a Single Sign-on Portal for Student Services

Need support? We're always here to help!

 

Your one-stop shop for product documentation, assistance, training, and much more.
Customer Center
 

Implement. Optimize. 
Train. We can help. 

Ellucian Services

Ready to talk? Get in touch with us.

Contact Us

Home Close