What Every Business Needs To Know About Multi-Factor Authentication

Multi-factor authentication (MFA) has become one of the most-recommended security must-haves. It’s now a cornerstone in most business’ cybersecurity strategies, offering an additional layer of protection beyond traditional passwords that are often weak, recycled across multiple apps, sites, or systems, and routinely compromised.

Yet, as MFA adoption has increased, so too have the sophistication of attacks designed to circumvent it. Threat actors are continually developing new methods to bypass these security measures, presenting major risks to the organizations it is designed to protect.

Our team witnesses the aftermath commercial cyberattacks leave in their wake nearly every day. It can take businesses countless hours and thousands — sometimes millions — of dollars to fully recover. Unfortunately, we are seeing a rise in claims from organizations that believed they were protected by MFA protocols, only to suffer a bypass attack. 

With that in mind, it’s important that businesses understand both the strengths and vulnerabilities of MFA in today’s cybersecurity landscape. 

MFA Is Great, but Not Perfect

MFA enhances security by requiring users to provide multiple forms of verification — such as PIN, one-time passcode delivered to a mobile device, or biometric data — before granting access. This approach significantly limits unauthorized access, but it is not invulnerable to the exploitations of threat actors.

One prevalent method attackers are employing is the “attacker-in-the-middle” (AitM) phishing attack. In these scenarios, threat actors set up fraudulent intermediary sites to intercept communications between the victim and the legitimate service. They deploy fake login pages that mirror the real ones, capturing both the user's credentials, session cookies and sometimes the user’s MFA tokens. Hackers even sell ready-to-use kits to enable these attacks, such as this one capable of bypassing two-factor authentication on Google, Microsoft and Yahoo accounts.

Another tactic gaining traction is MFA fatigue or MFA push bombing. Attackers bombard the target with repeated MFA push notifications, hoping to wear down the user into approving one of the requests out of frustration or confusion. This method targets the human-weakness element of security, which is ultimately the largest and least controllable attack surface for any organization. Fatigue attacks bank on the likelihood an overwhelmed user might inadvertently grant access. It’s a risk for every organization, regardless of size. 

Passkeys Make Progress, but With Limitations

In response to the vulnerabilities associated with traditional MFA methods, the industry has been exploring alternative authentication mechanisms. Passkeys, which leverage user biometric data for submitting encryption information that is often stored within the user’s device, have emerged as a promising solution. Companies like Microsoft, Google, and Apple are advocating for passkeys as a more secure and user-friendly alternative to passwords. They provide more sophisticated security, operating like a “lock and key.” A website provides the “lock” (public key), and the user has a the “private key” on their device. Using this “public-key cryptography,” passkeys aim to eliminate the risks associated with password reuse and phishing attacks.

Still, passkeys too are not without their challenges. The reliance on device-based credentials means that if a device is lost, stolen, or compromised, the passkeys stored on it could be at risk. Additionally, sophisticated attackers can employ advanced techniques, such as deepfake technology, to spoof biometric data. Transitioning to passkeys also requires widespread adoption across platforms and services, which is an ongoing process. 

Phish-Resistant MFA Solutions

Given the evolving threat landscape, phish-resistant MFA solutions are more imperative. These methods are designed to withstand phishing attacks by connecting authentication to specific devices and ensuring that credentials cannot be easily intercepted or replicated. Some configurations of passkeys can land in this territory.

One effective approach is the use of hardware security keys that comply with standards like FIDO2. These keys perform cryptographic operations that are bound to the user’s encryption key device, making it incredibly difficult for attackers to execute AitM attacks or duplicate authentication tokens. Using hardware security keys that require physical possession adds a tangible layer of security not easily skirted by remote attackers.

A Multi-Layered Defense Strategy

While implementing robust, phish-resistant MFA is crucial, it should be just one part of a multi-layered cybersecurity strategy. At a minimum, a more holistic approach should include:

• Incident response planning: Establishing and regularly updating an incident response plan is instrumental in helping organizations respond effectively in high-stress situations and minimize potential damage.
• Continuous user education: Regular training programs to educate employees about new phishing techniques and social engineering tactics — and how to recognize them — to reduce the likelihood of successful attacks.
• Advanced threat detection: Sophisticated monitoring tools can detect strange behavior and potential intrusions in real-time, so organization can respond swiftly to emerging threats.
• Regular security assessments: Frequent security audits and penetration testing helps identify and remedy vulnerabilities before they can be exploited by bad actors.

MFA remains a critical component of cybersecurity, but it’s not a cure-all. A resilient approach to cybersecurity requires understanding the limitations of each strategy, and implementing a multi-layered, adaptive security posture. This approach goes a long way towards safeguarding your business in a risky digital world.