Introduction
Cybersecurity experts have been going on for YEARS about how everyone needs to adopt additional forms of identifying that it’s really you trying to log into your account, on top of inputting your username and password. Multi-factor authentication, often shortened to MFA and sometimes called two-factor authentication, requires you to scan your face or fingerprint, enter a one-time code received via SMS or email, or prove that it’s really you in some other way that’s separate from the application you’re trying to access.
MFA has several benefits, which include adding an extra layer of defense to your accounts AND notifying you when someone makes an attempt to break in with just the account credentials. If you get a prompt to verify you attempted to log in, and you’re busy doing something else, it’s a sign to immediately kick-start your incident response plan and change that account’s login info.
With all the hullabaloo about adding these extra steps, would it surprise you to hear that MFA isn’t the locked-up safe that you thought it was?
Risk Factors in MFA
Before you get too mad at your IT guys for pushing it so hard, MFA is still recommended because it does stop a lot of attempted hacks. Keeping the preset password that comes with your accounts, recycling the same one for all your profiles, never changing your passwords and using simplistic ones are all virtual guarantees that you’ll be the victim of a cybercriminal at some point or another. MFA really does keep your accounts more protected and secure!
That doesn’t mean it’s infallible, though. Since the popularity of MFA has grown, threat actors have been busily looking for ways to duck around these defenses. So while it’s true that using it’s safer than not using it, and that it once really was the cutting edge of account safety, times change and cybercriminals will always adapt.
So, let’s look at a few of the more common ways that cybercriminals bypass multi-factor authentication these days.
- Intercepting your SMS messages when they send the one-time code to get in
- Configuring a way to completely disable the MFA setting
- Going after legacy applications that don’t have MFA or narrowing down which accounts in a connected cloud are not using it
- Going after the digital certification that sets up MFA controls in the first place
- Compromising your account after you’ve already signed in and verified your identity
- Outright phishing you for the MFA confirmation
As time goes on, hackers still surely continue to refine their methods of exploitation. Staying aware of the latest account safety tips and paying attention to suspicious activity on your accounts can help protect you as we continue to try to stay one step ahead of threat actors.
Conclusion
How can we protect ourselves from cyberattacks that go after our MFA? Monitoring our accounts for odd activity only helps after they’ve breached (or attempted to breach) your accounts!
You may be tired of hearing it, but creating strong passwords really matters. Recent studies show that even eight, nine, ten characters isn’t enough…use AT LEAST twelve numbers, symbols, and upper- and lowercase letters to really lock your accounts tight. Remember to change your passwords every one to two months!
Also, one-time passwords that rely on SMS are easier to hack than other forms of ID verification. Consider biometrics (like a face, fingerprint or eye scan) whenever possible, instead!
Of course, even all of this preparation won’t ALWAYS keep out a determined hacker. Attempted data breaches are a matter of when, not if they happen to you. Are you prepared to withstand their attacks?
References
- https://www.darkreading.com/endpoint/top-5-techniques-attackers-use-to-bypass-mfa
- https://www.proofpoint.com/us/blog/cloud-security/technical-deep-dive-vulnerabilities-bypass-multi-factor-authentication-microsoft
- https://blog.hypr.com/how-secure-is-mfa
- https://www.upguard.com/blog/how-hackers-can-bypass-mfa