Login

Login

Attacks

Phishing

Understanding

Phishing

Attackers convince users to give up their passwords with trickery

Passwords aren't the problem. Shared-secret schemes simply should not be used for authentication (period).

Passwords are known as a shared secret scheme. More precisely, there is a single secret, the password, that both the user and the service know.

Sure, the server might only store the hashed version, but the user still has to pass the original secret to the server so that it can be hashed and compared. Similarly, this scheme also relies on the server implementing everything perfectly to protect the password.

Therein lies the problem… The "secret" is being sent all over the dang place instead of being kept secret.

Phishing is the Internet equivalent of tricking someone into whispering their secret into the wrong ear. The goal is to trick the end-user into thinking the field that they enter their password into is legitimate so that they outright give over their password — no C0mpl3xity!1 or sophisticated cryptography can protect against it.

Attacks

Phishing

Understanding

Phishing

Attackers convince users to give up their passwords with trickery

Passwords aren't the problem. Shared-secret schemes simply should not be used for authentication (period).

Passwords are known as a shared secret scheme. More precisely, there is a single secret, the password, that both the user and the service know.

Sure, the server might only store the hashed version, but the user still has to pass the original secret to the server so that it can be hashed and compared. Similarly, this scheme also relies on the server implementing everything perfectly to protect the password.

Therein lies the problem… The "secret" is being sent all over the dang place instead of being kept secret.

Phishing is the Internet equivalent of tricking someone into whispering their secret into the wrong ear. The goal is to trick the end-user into thinking the field that they enter their password into is legitimate so that they outright give over their password — no C0mpl3xity!1 or sophisticated cryptography can protect against it.

Attacks

Phishing

Understanding

Phishing

Attackers convince users to give up their passwords with trickery

Passwords aren't the problem. Shared-secret schemes simply should not be used for authentication (period).

Passwords are known as a shared secret scheme. More precisely, there is a single secret, the password, that both the user and the service know.

Sure, the server might only store the hashed version, but the user still has to pass the original secret to the server so that it can be hashed and compared. Similarly, this scheme also relies on the server implementing everything perfectly to protect the password.

Therein lies the problem… The "secret" is being sent all over the dang place instead of being kept secret.

Phishing is the Internet equivalent of tricking someone into whispering their secret into the wrong ear. The goal is to trick the end-user into thinking the field that they enter their password into is legitimate so that they outright give over their password — no C0mpl3xity!1 or sophisticated cryptography can protect against it.

Attacks

Overview

Attacks

Overview

Exploit Techniques

Disclaimer: The information provided in this article is for educational and informational purposes only. Allthenticate is committed to enhancing security awareness and readiness in the cybersecurity community. This content is intended to be used responsibly and ethically by security professionals, researchers, and organizations to improve their defensive capabilities.

Disclaimer: The information provided in this article is for educational and informational purposes only. Allthenticate is committed to enhancing security awareness and readiness in the cybersecurity community. This content is intended to be used responsibly and ethically by security professionals, researchers, and organizations to improve their defensive capabilities.

Disclaimer: The information provided in this article is for educational and informational purposes only. Allthenticate is committed to enhancing security awareness and readiness in the cybersecurity community. This content is intended to be used responsibly and ethically by security professionals, researchers, and organizations to improve their defensive capabilities.

Spear Phishing:

Attackers use social engineering to craft highly personalized emails, often impersonating trusted contacts or organizations.

Exploits trust and familiarity, making victims more likely to let their guard down and share sensitive information.

Exploit tools

Social-Engineer Toolkit (SET), GoPhish

Spear Phishing:

Attackers use social engineering to craft highly personalized emails, often impersonating trusted contacts or organizations.

Exploits trust and familiarity, making victims more likely to let their guard down and share sensitive information.

Exploit tools

Social-Engineer Toolkit (SET), GoPhish

Spear Phishing:

Attackers use social engineering to craft highly personalized emails, often impersonating trusted contacts or organizations.

Exploits trust and familiarity, making victims more likely to let their guard down and share sensitive information.

Exploit tools

Social-Engineer Toolkit (SET), GoPhish

Clone Phishing:

Legitimate emails are duplicated, but links or attachments are replaced with malicious ones.

Leverages the legitimacy of real communications, making it extremely difficult for users to distinguish from genuine emails.

Exploit tools

Evilginx2, King Phisher

Clone Phishing:

Legitimate emails are duplicated, but links or attachments are replaced with malicious ones.

Leverages the legitimacy of real communications, making it extremely difficult for users to distinguish from genuine emails.

Exploit tools

Evilginx2, King Phisher

Whaling:

High-level executives are targeted with sophisticated, tailored attacks.

Targets those with the highest level of access to sensitive data and financial resources, potentially leading to massive breaches or financial losses.

Exploit tools

Cobalt Strike, Phishery

Whaling:

High-level executives are targeted with sophisticated, tailored attacks.

Targets those with the highest level of access to sensitive data and financial resources, potentially leading to massive breaches or financial losses.

Exploit tools

Cobalt Strike, Phishery

Vishing and Smishing

Voice calls (vishing) or SMS messages (smishing) solicit sensitive information or direct victims to malicious websites.

Exploits the immediacy and personal nature of phone calls and text messages, often catching victims off-guard and pressuring them into quick actions.

Exploit tools

Modlishka, EvilURL, SMS Bomber

Vishing and Smishing

Voice calls (vishing) or SMS messages (smishing) solicit sensitive information or direct victims to malicious websites.

Exploits the immediacy and personal nature of phone calls and text messages, often catching victims off-guard and pressuring them into quick actions.

Exploit tools

Modlishka, EvilURL, SMS Bomber

Why Traditional Defenses Fall Short

Why Traditional Defenses Fall Short

Why Traditional Defenses Fall Short

Old-school phishing defenses all fail because they are trying to fix something that is fundamentally broken. Ultimately, the password will need to be passed to the server and there will always be a risk there.

Educating end users about phishing is like teaching sailors how to bail water to fix a sinking ship. The users don't need to be taught new skills — we need a new boat!

Old-school phishing defenses all fail because they are trying to fix something that is fundamentally broken. Ultimately, the password will need to be passed to the server and there will always be a risk there.

Educating end users about phishing is like teaching sailors how to bail water to fix a sinking ship. The users don't need to be taught new skills — we need a new boat!

Attacks

Overview

Attacks

Overview

Allthenticate eliminates phishing.

By using asymmetric keys where the private key (the secret) never leaves the secure hardware of your smartphone, the sole attack vector of phishing (stealing the secret) is completely eliminated. Only the public key, which is safe to share, is stored on external servers.

Hardware-Bound Credentials

Your credentials (i.e., private keys) are stored securely in the hardware of your smartphone, and never leave. This not ensures that you credentials cannot be phished, but also that they are always in your possession, where they belong. If hackers want to steal them, they will have to, "Come and take it!"

Industry Standards

Industry Standards

Allthenticate supports all of the popular key formats: FIDO, X.509, and Verifiable Credentials for maximum usability and portability. Securely login to all of your resources!

Strong Cryptography

Strong Cryptography

Allthenticate replaces symmetric schemes like passwords and OTP codes with secure asymmetric encryption algorithms like RSA and elliptic curve cryptography in a future-proof way.

Simple User Interactions

Phishing fundamentally preys on confusing the user.

By keeping the interactions simple, clean, and clear the chance of tricking the user is also eliminated. Every interaction will have a simple prompt and a simple "Approve" or "Deny" option.

Even if the user selects the wrong answer, their credentials are safe. Crisis averted.

Anti-Masquerading

Masquerading attacks can be used to trick app users by overlaying false data to trick users into approving the wrong request. By leveraging a secure image and the TEE of the phone, this attack can also be thwarted.

Physical Proximity Requirement

Bluetooth is used to ensure that the phone is physically close to the computer initiating the login, adding yet another level of security to the login process.

Secure your organization by eliminating entire classes of vulnerabilities with Allthenticate.

See Pricing

Learn More

Secure your organization by eliminating entire classes of vulnerabilities with Allthenticate.

See Pricing

Learn More