[KCSCON 2025] OCTATCO CEO Lee Jae-hyung: “Phishing-Resistant MFA is Essential in Zero Trust and N2SF Environments”

• Offers a tailored structure optimized for domestic N2SF environments • OCTATCO MFA can fully defend against 18 types of authentication attacks

On September 16, over 1,200 cybersecurity professionals gathered at Sejong University Convention Center for KCSCON 2025, the 13th Korea Cybersecurity Conference. Under the theme “Opening the Future of Cybersecurity”, OCTATCO CEO Lee Jaehyoung presented on “Digital Identity Management in Zero Trust and N2SF Environments.”

CEO Lee began by explaining N2SF (National Network Security Framework), which categorizes public sector networks into Confidential (C), Sensitive (S), and Open (O), applying appropriate security measures for each level. He noted that the rise of cloud services, remote work, and SaaS has blurred traditional network boundaries, stressing: “Network perimeters used to be the core of security, but now digital identity (ID) is the new security boundary.”

■ The Reality of Authentication Attacks and Weaknesses of Existing Systems/b>

CEO Lee highlighted 18 major threats organizations face today. Common attacks such as phishing, vishing, smishing, spear phishing, credential stuffing, watering hole attacks, business email compromise, man-in-the-middle attacks, SIM swapping, and keylogging, are actively used in real-world attacks.

He explained that traditional authentication methods cannot stop these attacks. Passwords, OTPs, SMS, and even standard biometric methods all have serous limitations. Testing showed OTPs fail to block any of the 18 attacks, and even biometric authentication is vulnerable to 89% of attacks.

“The defense rate of conventional authentication is only 0–11%, meaning attackers can bypass it with publicly available hacking tools,” CEO Lee said.

Risks continue even after authentication. Session hijacking, cookie theft, and token theft occur post-login, which conventional methods cannot prevent. He emphasized:

“We need a system that protects both before and after authentication.”

Global regulations also highlight this trend. In the U.S., Executive Order 14028 mandates MFA for federal agencies, while OMB M-22-09 specifically requires phishing-resistant MFA. The Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends its adoption as well.

FIDO2 and PIV smartcard-based public-key cryptography play a key role, authenticating users without storing secret information on servers. This approach inherently resists phishing and session hijacking attacks, aligning with Zero Trust principles: “Never trust, always verify.”

■ OCTATCO Phishing-Resistant MFA: Technical Structure

CEO Lee described OCTATCO’s solution:

- Unified authentication agent: Provides a single system for PC login, to SaaS, web app, and client application login. Users can access all work systems using one device, ensuring both convenience and security.

- FIDO2 public-key cryptography: Authentication data is processed securely without storing it on servers, offering strong resistance against man-in-the-middle and session attacks.

- Emergency authentication: Ensures business continuity during network or server failures by allowing local device access, critical for public and financial institutions.

OCTATCO differentiates itself by offering solutions tailored for Korea’s N2SF environment, unlike global services that mainly focus on private enterprises. As Korea’s first and Asia’s leading FIDO2-based MFA company, OCTATCO strictly follows global standards while meeting local security requirements. Most importantly, OCTATCO MFA defends against all 18 major authentication attacks, making it stronger than competitors who typically only cover specific threats.

Concluding, CEO Lee said:

“Perimeter-based security has reached its limits. The future lies in digital identity management. In Zero Trust and N2SF environments, phishing-resistant MFA is not optional, it’s essential. OCTATCO has the expertise and solutions to make this a reality.”

[By Gil Minkwon mkgil@dailysecu.com]