The Problem With Phishing and Security: Why More Hardware Is Not the Answer

Cybercrime is fast becoming the world's third-largest economy after the U.S. and China. Phishing attacks are among the most serious cybercrime threats, affecting both individuals and organizations.

Even with advanced hardware, existing systems often fail to keep up with the evolving tactics of cybercriminals. This indicates that our perspective on cybersecurity has to change. 

In this article, we’ll explore the limitations of hardware-based approaches, advocating for a more user-centric and resilient strategy. This includes using passkeys to enhance security, prioritizing user-friendly design to facilitate wider adoption, and ensuring better interface development.

Three challenges with the current security implementation

Challenge 1: Backend focus

For years, we mainly focused on building up the hardware side of security. One standard for hardware secure modules is FIPS 140-2 level 3 or higher, which translates to a high degree of tamper resistance.

We’ve reached a point where further beefing up hardware won’t lead to a noticeable increase in security. Still, investing in hardware and an impressive physical security setup can feel satisfying and easier to communicate than, for example, changes to the user experience.

Are we falling into the trap of focusing on problems we know how to solve, rather than addressing more complex, less understood challenges?

Secure hardware is essential but insufficient on its own.

Challenge 2: Phishing is always possible

Most current user authentication solutions are vulnerable to phishing attacks. These include national eID systems used for everyday tasks like confirming online payments. Even though eID systems incorporate solid technology, their reliance on user input makes them exploitable.

(Want to know how it works? Read “How does Identity Theft Work”?)

Key issues include:

• No solution is 100% foolproof. Motivated attackers can often find ways around even the most advanced defenses. 
• Heavy reliance on technology and the ease of using eIDs create a false sense of security, which may make people less vigilant and increase the chance of successful attacks.
• Many solutions focus on blocking known threats but fail to address new phishing and social engineering techniques.

Challenge 3: Understandability

Current systems often overlook how users interact with them. 

Applications, platforms, and authentication flows are often designed in a way that assumes technical knowledge that many people simply do not have. 

Take logging in with MitID, for example: 

A tech-savvy user might notice the fake URL and not fall for a phishing scam, but this skill is far from universal. Many users lack the training and experience to recognize fraudulent links or websites.

Good design can bridge this gap. 

Plus, we already have tools that make authentication safer and more user-friendly. 

Opportunities to improve security

Passkeys and better design processes can greatly improve security for all users.

1. Passkeys eliminate the ”something-you-know” factor

Passkeys revolutionized authentication by replacing passwords with a more secure alternative. 

They use asymmetric cryptography, where one part of the cryptographic key is stored on the user’s device and the other part on the server. The passkey approach has several benefits:

• Passkeys are tied to the correct domain and cannot be used on fake websites.
• Passkeys are resistant to brute-force attacks since they don't rely on easily guessable or reused passwords.
• Users don't need to remember passwords or manage multiple accounts.

2. Passkeys enable smooth cross-device authentication

Passkeys are very simple to use on a single device, such as a mobile phone. And when signing in on another device like a computer, you may leverage the passkey stored on the primary device. Here's how it works:

1. To log in, a user shares a passkey from their phone with a nearby computer.
2. Bluetooth ensures that the devices are physically close. The communication between them is encrypted at the application level and does not depend on Bluetooth security.
3. The phone sends the encrypted passkey to the computer, which validates it to complete the login.

This process prevents authentication data from being reused or redirected, which mitigates phishing risks and improves the user experience.

3. Iterative design can optimize usability 

We must pay attention to user feedback and make continuous improvements to create more intuitive and usable products. This drives adoption, as people are naturally drawn to products that work seamlessly. 

Without user adoption, even the best protection measures fall short.

Are we protecting the right things?

As engineers, we must recognize that the human element in cybersecurity is just as vulnerable as the technical side. It’s not enough to focus solely on hardware: Usability is the key to widespread adoption and robust security.

To reach the highest level of security, we must make systems accessible for all users, not just those with technical expertise.