Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Leadership and ManagementLogical SecurityCybersecurity News

Multi-factor authentication isn't always enough to stop cyber threats

By Alfredo Hickman
cell phone

Image from Pixabay

November 7, 2022

Let’s make one thing clear: every organization today should be using multi-factor authentication (MFA) wherever possible.

Even the strongest, most unique password is still just a single form of authentication standing between attackers and business-critical Software as a Service (SaaS) application data. Security measures like MFA can provide an important additional line of defense against adversaries, which is exactly why the U.S. Cybersecurity and Infrastructure Agency (CISA) recommends that MFA is enabled anytime that it’s available.

Still — as CISA points out — not all forms of MFA are created equal, and certain implementations are more secure than others.

Text message MFA via SMS is amongst the weakest options and is susceptible to interception, spoofing, loss of availability and phishing. The forms of MFA that sit “in the middle,” so to speak, are prone to interception and abuse; push notifications can be sent en masse to fatigue users, while one-time password tokens (OTP) can be captured in transit, for example. U2F/WebAuthn hardware security keys and biometric-based forms of authentication, on the other hand, are more secure.

Encouraging users to rely on stronger forms of authentication is only the tip of the iceberg when it comes to promoting better multi-factor security for an organization. There are a number of other settings, from session durations to adaptive access policies, for security teams to consider when tuning their implementations.

Here are some of the techniques that adversaries employ to attempt to bypass MFA measures, as well as guidance on how to prepare and respond to these increasingly common threats.

Attackers can circumvent MFA

Sophisticated attackers are well aware of the vulnerabilities present in weaker MFA implementations and have leveraged a variety of techniques to effectively exploit these gaps. While this is by no means a comprehensive list, the examples below have been particularly notable for their impact in recent newsworthy breaches. Understanding the fundamentals of these attacks can help teams take an adversarial mindset to plan and respond accordingly.

MITM proxy interception

In a man-in-the-middle (MITM) attack, adversaries convince a user to log into their identity provider via infrastructure controlled by the attacker. This typically means bringing the user to a fake login page that closely resembles the real thing. The attacker relays traffic between the end user and the identity provider, capturing login credentials and the session token granted to the user after they provide MFA. This allows the attacker to reuse the same session token as the user to access the SaaS application.

MFA fatigue

In a MFA fatigue attack, an adversary with compromised user credentials floods a user’s mobile device with an overwhelming number of push notifications prompting them to approve a multi-factor sign-in. The objective here is really quite simple: “fatigue” the user into accepting this request, giving the attacker unfettered access to the identity provider and every connected SaaS application.

SIM hijacking

Although MFA via SMS is one of the more popular methods of authentication, it’s highly susceptible to a variety of attacks —including a technique known as SIM hijacking. In this scenario, an attacker already privy to some of the victim's personal information uses social engineering to convince a mobile carrier to swap their SIM to a new device. With newfound access to their phone number and associated text messages, the attacker can easily authenticate with a valid MFA code sent directly to their device.

Best practices for MFA

Especially when it comes to combatting some of the malicious techniques explored above, the implementation of MFA on an organizational level is critical. There are several best practices security teams can follow to strengthen their organization's defenses:

  • Ensure that MFA is deployed for all accounts in the organization.
  • Suggest against or altogether disable weaker MFA methods, opting instead for more secure factors like hardware security keys.
  • Explore policies that throttle bulk actions to deter brute force attacks and excessive push notifications associated with MFA fatigue attacks.
  • Consider adding administrative review to the enrollment of new MFA devices. A quick double check can make a difference when ensuring the validity of these requests.

A well-built MFA implementation is an incredibly valuable initial line of defense against a majority of malicious attempts against an organization. Still, at the end of the day, it’s important to remember that MFA is exactly that: a strong initial deterrent.

So yes, use MFA wherever possible, but always be conscientious about how it’s implemented, stay vigilant about the techniques that adversaries are employing to get around it, and remember that MFA is good — but it’s not always enough.

KEYWORDS: cyber attack cyber criminal identity (ID) management multi-factor authentication SMS authentication two-factor authentication

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Alfredo Hickman is Head of Information Security at Obsidian Security.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • MFA for HIPAA Compliance

    Multi-factor authentication for HIPAA compliance: What it is, common objections, and why to insist on it

    See More
  • Rendered coding

    What Every Business Needs To Know About Multi-Factor Authentication

    See More
  • Padlock icon pointing to cloud

    Multi-factor authentication to be mandatory on Google Cloud accounts

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing