how to implement anti phishing mechanisn for a web application

Question

we have internal portal which we will use for configuration. How to implement anti phishing mechanism 1.which mechanism to use
2.how to use
thanks in advance

Answer 1

Phishing protection are not only at your application level but also by making your users aware of what a phishing is. Even top-noch banks are vulnerable to phishing attacks.

I would suggest you:

• Aware your users by adding a note on what is phishing within your application
• Implement a SSL Certificate to improve the protection on phishing https://www.liquidweb.com/blog/index.php/secure-your-website-ssl-certificates-with-phishing-protection/ (just one more measure, it doesn't guarantee to be bulletproof)

A mechanism i've seen in a few banks is :

• Make the user insert his username
• Show an image only know by him that user chose previously at registrarion.
• Make the user accept that he/she choose that image previously
• Make the user insert his password

This way if a user is a victim of a phishing attack, the attacker must know not just his username but also the image that the user choose.

Also in case the user doesn't exists you should set up a fake image so you prevent a user enumeration attack.