MFA vs. Phishing: Why YubiKey is Better than Classic MFA

In an era of ever-increasing phishing attacks, increasingly sophisticated identity theft methods, and new regulations such as NIS2, the question is no longer whether MFA is worth investing in, but rather whether my organization can afford to continue to rely on outdated authentication methods?

In this interview with Marcin Majchrzak, Sales Director for Yubico in Poland and Eastern Europe, we break down the topic. We talk about the myths of MFA, why not all multi-factor authentication methods are created equal, and how implementing YubiKey can help not only meet regulatory requirements but above all, build real cyber resilience in your company.

How long have you been involved in identity protection?

I didn’t get into this industry until yesterday. I’ve been working in cybersecurity for over a decade, and my specialization is identity protection. I started in the UK, in a recruitment company, but quickly ended up at a startup dealing with privileged access management. I was close to the topic of protecting critical accounts from the very beginning, and this naturally led me to Yubico and the solutions that I am developing today in Poland and in Central and Eastern Europe.

I’ve been working at Yubico for three years. I am responsible for sales activities, but education is equally important to me – if not more important. Making companies aware that user identity is today the weakest link, and at the same time the first point of entry for any attack. If we want to talk about real security, we have to start with how the user logs in.

So let’s start with the controversy. What’s wrong with classic MFA?

The average IT manager can breathe a sigh of relief if their company has implemented MFA aka multi-factor authentication. But this is often a false sense of security. The most popular multi-factor authentication methods are compromise solutions that criminals can easily bypass.

Hackers don’t break in anymore – they just log in. They use social engineering, impersonate login systems, create indistinguishable copies of pages, and simply ask the user to provide their data. And most often, they get it without resistance.

The biggest problem with classic MFA methods – such as password + SMS, password + mobile app or even push – is the human factor. The user must distinguish a real login page from a fake one. They must recognize that something is wrong. And cybercriminals take advantage of every distraction – and every mechanism that can be fooled.

There are free tools on GitHub that allow you to build a phishing attack in a few minutes. You can buy a subscription to a ready-made kit that substitutes a fake login page and intercepts one-time codes – everything works almost automatically. This is no longer the domain of an elite hacker. This is a service that even less advanced criminals use.

Therefore, even if a company uses MFA, it may be completely defenseless against a targeted attack.

How to protect yourself in this MFA vs phishing battle?

That is why we are developing technologies based on FIDO2 and smart cards. The idea is to completely eliminate the possibility of spoofing the login page. So that you do not have to trust that the user will not make a mistake, click on the wrong link or not notice a subtle difference in the domain.

In FIDO2, the entire process is based on asymmetric cryptography. The private key is generated locally – on the YubiKey – and never leaves the device. The server only knows the public key. If you try to log in, the browser and the system check whether everything is correct: the website address, certificate, query structure. If so – the login process goes through. If something does not match – nothing will happen. The user will not even be able to make a decision.

This is a huge difference. The user no longer has to verify anything. They don’t have to know anything, they don’t have to be vigilant. The protocol takes over all the responsibility. And that’s why we’re talking about complete resistance to phishing. Because even if someone knows your password – they won’t do anything without a physical key.

And if we add passwordless scenarios, where there are no passwords anymore, only a hardware key and a PIN – then there’s nothing to phish for. There’s not even a password to intercept. And that’s the direction we should be heading in as organizations – regardless of size or industry.

Yubico works with companies that make headlines. It is said that this technology is used by 19 out of 20 big techs. Can you help smaller organizations as well?

Absolutely. Although YubiKey is used by companies such as Google, Amazon and government agencies, our solution was designed to be accessible to everyone – from private users to large corporations. And this is not just theory. We have clients who started with five keys for administrators and now manage tens of thousands of devices throughout the supply chain.

In a small company, YubiKey can act as a simple but very effective security for logging into a Google account, Microsoft or financial systems. In a medium-sized company – we can implement central management and support for logins to many applications. In large organizations, we often start with privileged users, i.e. administrators, the finance department, board members – and then move on to other departments until we cover the entire structure.

What is worth emphasizing: hardware keys are an extremely scalable solution. And if the organization has a partner who knows how to plan such an implementation – we can easily go from a test in one department to a full rollout for the entire company, and even subcontractors and external partners. This is what is happening in practice today.

Check the official Yubico case study

Speaking of rollout… what does YubiKey implementation look like in practice?

From my point of view, the most important thing in an implementation project is to start wisely – with the people who have the greatest impact on security. Administrators, the people responsible for access to infrastructure, the management. Their accounts are most often targeted because they allow access to critical data and systems. Implementing phishing-resistant MFA should start there.

Later, we can go broader – to financial, legal, sales teams, to operational departments. And finally, cover the entire supply chain. Because you need to remember: most often the attack starts not with us, but with the partner, who is the weaker link. YubiKey works perfectly as a shared key with external partners – it provides the same level of protection, regardless of the place of login.

The entire implementation can be carried out in stages and flexibly. In many organizations, we start with a pilot, test the solution in one unit, check compliance with the infrastructure, analyze user reactions. When we see that it works, only then do we scale. This approach allows us to maintain control and avoid unnecessary tensions.

Of course, implementing the YubiKey itself is only part of the job. Equally important – or maybe more important – is how to plan this process so that it makes strategic sense. That is why it is so important to work with a partner who knows the subject inside out.

Grandmetric is a company that not only understands technology, but also can look at the needs of the organization more broadly: through the prism of IT architecture, processes, integration. Because that’s what it’s all about. It’s not about having a nice box with the Yubico logo. It’s about having real protection against what’s most dangerous.

What about users who don’t have smartphones? How can we protect them in the clash between MFA and phishing?

This question comes up very often. Not every employee has a company phone, and even if they do, they can’t always use the MFA application. This applies to, for example, production workers, people working in protected spaces, medical personnel, drivers, field representatives. For them, mobile solutions are simply inconvenient or impossible to use.

The YubiKey solves this problem in an elegant way. It is a physical device that can be attached to keys, carried in a pocket, connected to a computer or phone. It does not require charging, it does not need to be updated. It works anytime and anywhere – regardless of the operating system. For the end user, this is a huge convenience. For the IT department – fewer problems and fewer tickets.

And IT departments will be busy introducing new cybersecurity measures, such as those related to the NIS2 directive…

New regulations, such as the NIS2 directive or the National Cybersecurity System Act (KSC), place specific requirements on organizations. One of them is to provide strong authentication mechanisms – including phishing-resistant ones. In the clash between MFA and phishing, this means that a password with an SMS is no longer enough. We need a solution that guarantees the integrity of the login process.

YubiKey fits perfectly into the requirements of the NIS2 directive. Firstly – it uses recognized international standards (FIDO2, PIV). Secondly – it does not store any data in the cloud, so we do not violate the principles of data sovereignty. Thirdly – it allows for implementation in both cloud and on-prem environments.

We have more and more cases in which customers contact us precisely because a security audit showed the need to strengthen MFA. Or because the regulator explicitly requested compliance with NIS2. This is no longer a future topic – it is happening now. And it is good that it is happening, because it forces a change in thinking.