The vast majority of all IT security breaches are due to stolen or weak login credentials, and the most common attack vector is phishing. Old school phishing scams trick users to download a file or reveal sensitive data to a fraudster website. The new, most sophisticated spear phishing attacks compromise accounts without the user noticing. In fact, 95% of all attacks targeting an organization’s networks are caused by successful spear phishing. 


The COVID-19 pandemic provided perfect conditions for many types of social engineering and phishing attacks. We’ve seen plenty of reports and warnings from the FBI, CISA, Interpol, and other reputable organizations about the growth in coronavirus-related attacks, from spear-phishing to vishing, ransomware, and more, as the world adapts to remote working and its associated risks. Look at the rise in phishing attacks related to COVID stimulus and relief for example. 

In many ways, social distancing and remote work have created more fertile conditions for hackers, but the types of social engineering attacks we’re seeing today aren’t too different from what we’ve seen in the past. So, why are we still seeing major breaches making news headlines on a regular basis? 

Because most of the multi-factor authentication (MFA) solutions in place today across state and local government agencies are defeated by modern phishing attacks.

Watch Yubico CTO Christopher Harrel, show what it’s like to be phished with these modern attacks when using several types of basic multi-factor authentication: Modern phishing v/s common phone and OTP authentication

The only authentication technologies proven to stop these attacks all use public key cryptography, including smart cards, and hardware security keys such as the YubiKey

The YubiKey, a FIPS 140-2 validated hardware security key from Yubico, has been proven to offer the highest levels of security against account takeovers in independent research, preventing targeted attacks. YubiKeys offer the strongest security against phishing attacks and account takeovers, as well as the best user experience. To authenticate, users simply tap/touch their security key. YubiKeys do not require batteries, have no breakable screens, do not need a cellular connection, and are water-resistant and crush-proof.

YubiKeys feature modern protocols like FIDO2 and WebAuthn, as well as OTP, SmartCard (PIV), OpenPGP, earlier FIDO versions, and more. A single key supports multiple applications, allowing YubiKeys to work with current applications and authentication methods, and advanced and emerging protocols at the same time.


Many state and local governments are using YubiKeys to secure their critical systems and applications, remote workers, first responders, field workers, CJIS systems, citizen-facing web services, and election ecosystems.

Contact me or Yubico to learn more about stopping phishing attacks and account takeovers with hardware-backed strong authentication using the YubiKey.