According to Yubico, a provider of hardware authentication security keys, empowering workplaces with phishing-resistant hardware is the key to email security.

Despite companies continuing to take action to safeguard critical infrastructure and increase employee awareness of cybersecurity risks, email continues to remain one of the top lucrative attack vectors for cybercriminals.

The Secureworks Incident Response report stated the number of incidents involving business email compromise (BEC), where attackers impersonate company employees for financial gain, doubled between January and December 2022. This replaced ransomware as the most common financially motivated cyber threat to organisations. 

Meanwhile, the 2023 Data Breach Investigations Report stated that human-related factors influenced 74% of breaches. 

Geoff Schomburgk, Yubico's Regional Vice President, Asia Pacific & Japan (APJ), says email compromise is a pervasive threat that can target anyone. Phishing attacks, which try to exploit human errors, have emerged as the primary source of data breaches. 

"The rise of BEC underscores the urgency for enterprises, especially those with distributed workforces, to establish and enforce human-centric security best practices that are supported by modern phishing-resistant passkeys," says Schomburgk.

"Traditional password-based authentication has proven insufficient in the face of these evolving threats and industry leaders like Google, Microsoft and Apple have integrated support for phishing resistant passkeys to enhance authentication."

While passkeys are not a new concept (with hardware security keys like Yubico's YubiKey incorporating them since 2016), Yubico says they offer a more secure and user-friendly alternative to passwords and other legacy forms of 2FA. This approach aligns with the broader effort to make secure logins, including email access, accessible to a wider audience.

As email-based phishing attacks grow in sophistication and targeting, even tech-savvy individuals can fall victim. One common example is a fake invoice or HR email that asks for payment details or sensitive information. 

Schomburgk says phishing-resistant Multi-Factor Authentication (MFA) through passkeys has been a pivotal advancement in cybersecurity, and more should be adopted as it delivers robust security without compromising user experience. He adds that MFA also helps organisations better protect online accounts without relying on the user's vigilance.

Unlike conventional MFA methods vulnerable to phishing, this approach focuses on identity verification and intent through deliberate action. While common, passwords, SMS, OTPs, security questions, and push notifications are susceptible to various attacks. 

Schomburgk acknowledges that user training is essential and can be expensive, but phishing attacks will continue. Cyber attackers can undertake phishing attacks through BEC, but there are solutions to prevent these.  

"We see it as important to stop threats at the 'front door' through authentication methods that use phishing resistant MFA, such as passkeys, and that do not rely on the vigilance of the end user," says Schomburgk.  

"Yubico is committed to empowering individuals and organisations with cutting-edge security solutions that improve email security and thwart phishing attacks." 

"Fostering a human-centric approach to cybersecurity by encouraging the adoption of passkeys will help companies to protect digital identities against evolving threats and safeguarding sensitive information," Schomburgk concludes.