Traditional MFA is no longer enough

Multi-factor authentication (MFA) is no longer a guarantee that accounts cannot be hacked. A passwordless MFA according to the FIDO standard offers higher security and more convenience.

 

Many companies now rely on multi-factor authentication. However, cybercriminals regularly succeed in circumventing these security measures through increasingly sophisticated approaches. For example, Microsoft security researchers recently uncovered a large-scale phishing campaign through which Office 365 accounts are compromised despite multi-factor authentication. (centron reported: Phishing: Office 365 accounts despite MFA hacked).

First of all: Of course, multi-factor authentication is still much better than using a simple password and not taking any further security measures! Traditional password-based MFA is still sufficient for many types of attacks. However, it no longer offers the same security that it promised a few years ago. Attackers are becoming more and more creative – accordingly, companies must also upgrade their MFA instead of feeling a false sense of security.

 

Vulnerabilities in traditional multi-factor authentication

Current forms of MFA are usually based on password authentication, which are supplemented by one or more other factors such as one-time passwords (OTPs) or push notifications. Sounds good in theory, but isn’t too difficult to work around these days.

Intercepting an OTP is possible, for example, through SIM swapping. With this fraud method, cybercriminals pose as legitimate users to the mobile operator and convince them to switch to a new SIM card. In this way, all future OTPs are conveniently sent to the attackers’ phones.

Another notable vulnerability is password recovery. These processes often subvert MFA by monopolizing the second factor of identification (email, phone, etc.). The answers to seemingly secret questions that are commonly used when resetting passwords, and which then present the last remaining barrier, are often easily found on social media.

As already mentioned with the example of Office 365, phishing campaigns also pose a major risk. Phishing emails trick users into clicking on links or using fake login pages and directly passing on the code they just received to the hackers or confirming a corresponding push notification.

 

Recommendations for action

For multi-factor authentication to truly provide the protection users are hoping for, it must rely on authentication factors that cybercriminals cannot easily compromise. Above all, biometric authentication such as fingerprint scanning or face recognition as well as security checks at device level are recommended.

Implementing a modern, passwordless MFA doesn’t even have to be significantly more difficult than implementing a traditional password-based MFA. Using the FIDO standards, organizations can easily use a combination of biometric authentication and device-specific private keys for their MFA. In this way, they can minimize their attack surface in the long term and subsequently significantly increase their own cyber security.