Page 246 - Cyber Defense eMagazine September 2025
P. 246
• Attacker persistence via enrolled authenticators is real. Treat authenticator enrollment like
a sensitive transaction: log, alert, and verify changes.
• Usability determines adoption. Pilots stall without training, clear guidance, and thoughtful
support for shared devices, gloved users, or legacy systems. Expect hybrid patterns in OT/clinical
environments.
Best Practices: How to Deploy Passwordless Securely
Choose Truly Phishing-Resistant Methods
• Prefer FIDO2/WebAuthn passkeys and hardware security keys over OTPs/links.
• If using phone authenticators, use platform passkeys or app-based approvals with strong
device attestation—not SMS.
Lock Down Devices & Accounts
• Enforce PIN/biometric unlock, disk encryption, OS/browser patch SLAs, and EDR on
endpoints that hold passkeys.
• Protect consumer cloud accounts (that may sync passkeys) with strong MFA and restricted
recovery; consider no-sync for high-risk personnel.
Harden Fallback & Recovery
• Treat helpdesk, recovery, and enrollment as Tier-0 flows:
o Require phishing-resistant verification (e.g., in-person, SSO-based proofing, secure
video ID, or supervisor approval).
o Disable SMS/email for admins and other critical roles.
o Issue backup hardware keys and document secure custody.
Instrument & Monitor
• Log and alert on:
o New authenticator registrations
o Repeated user-verification failures
o Unusual geo/ASN patterns
o Use of backup routes
• Add behavioral analytics: deviations from typical device/origin/time can flag compromise.
Cyber Defense eMagazine – September 2025 Edition 246
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
