Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Leadership and ManagementLogical SecurityCybersecurity News

Multi-factor authentication isn't always enough to stop cyber threats

By Alfredo Hickman
cell phone

Image from Pixabay

November 7, 2022

Let’s make one thing clear: every organization today should be using multi-factor authentication (MFA) wherever possible.

Even the strongest, most unique password is still just a single form of authentication standing between attackers and business-critical Software as a Service (SaaS) application data. Security measures like MFA can provide an important additional line of defense against adversaries, which is exactly why the U.S. Cybersecurity and Infrastructure Agency (CISA) recommends that MFA is enabled anytime that it’s available.

Still — as CISA points out — not all forms of MFA are created equal, and certain implementations are more secure than others.

Text message MFA via SMS is amongst the weakest options and is susceptible to interception, spoofing, loss of availability and phishing. The forms of MFA that sit “in the middle,” so to speak, are prone to interception and abuse; push notifications can be sent en masse to fatigue users, while one-time password tokens (OTP) can be captured in transit, for example. U2F/WebAuthn hardware security keys and biometric-based forms of authentication, on the other hand, are more secure.

Encouraging users to rely on stronger forms of authentication is only the tip of the iceberg when it comes to promoting better multi-factor security for an organization. There are a number of other settings, from session durations to adaptive access policies, for security teams to consider when tuning their implementations.

Here are some of the techniques that adversaries employ to attempt to bypass MFA measures, as well as guidance on how to prepare and respond to these increasingly common threats.

Attackers can circumvent MFA

Sophisticated attackers are well aware of the vulnerabilities present in weaker MFA implementations and have leveraged a variety of techniques to effectively exploit these gaps. While this is by no means a comprehensive list, the examples below have been particularly notable for their impact in recent newsworthy breaches. Understanding the fundamentals of these attacks can help teams take an adversarial mindset to plan and respond accordingly.

MITM proxy interception

In a man-in-the-middle (MITM) attack, adversaries convince a user to log into their identity provider via infrastructure controlled by the attacker. This typically means bringing the user to a fake login page that closely resembles the real thing. The attacker relays traffic between the end user and the identity provider, capturing login credentials and the session token granted to the user after they provide MFA. This allows the attacker to reuse the same session token as the user to access the SaaS application.

MFA fatigue

In a MFA fatigue attack, an adversary with compromised user credentials floods a user’s mobile device with an overwhelming number of push notifications prompting them to approve a multi-factor sign-in. The objective here is really quite simple: “fatigue” the user into accepting this request, giving the attacker unfettered access to the identity provider and every connected SaaS application.

SIM hijacking

Although MFA via SMS is one of the more popular methods of authentication, it’s highly susceptible to a variety of attacks —including a technique known as SIM hijacking. In this scenario, an attacker already privy to some of the victim's personal information uses social engineering to convince a mobile carrier to swap their SIM to a new device. With newfound access to their phone number and associated text messages, the attacker can easily authenticate with a valid MFA code sent directly to their device.

Best practices for MFA

Especially when it comes to combatting some of the malicious techniques explored above, the implementation of MFA on an organizational level is critical. There are several best practices security teams can follow to strengthen their organization's defenses:

  • Ensure that MFA is deployed for all accounts in the organization.
  • Suggest against or altogether disable weaker MFA methods, opting instead for more secure factors like hardware security keys.
  • Explore policies that throttle bulk actions to deter brute force attacks and excessive push notifications associated with MFA fatigue attacks.
  • Consider adding administrative review to the enrollment of new MFA devices. A quick double check can make a difference when ensuring the validity of these requests.

A well-built MFA implementation is an incredibly valuable initial line of defense against a majority of malicious attempts against an organization. Still, at the end of the day, it’s important to remember that MFA is exactly that: a strong initial deterrent.

So yes, use MFA wherever possible, but always be conscientious about how it’s implemented, stay vigilant about the techniques that adversaries are employing to get around it, and remember that MFA is good — but it’s not always enough.

KEYWORDS: cyber attack cyber criminal identity (ID) management multi-factor authentication SMS authentication two-factor authentication

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Alfredo Hickman is Head of Information Security at Obsidian Security.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Fountain pen

Trump Administration Executive Order Changes Cybersecurity Policy

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • MFA for HIPAA Compliance

    Multi-factor authentication for HIPAA compliance: What it is, common objections, and why to insist on it

    See More
  • Rendered coding

    What Every Business Needs To Know About Multi-Factor Authentication

    See More
  • Padlock icon pointing to cloud

    Multi-factor authentication to be mandatory on Google Cloud accounts

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!