Introduction
How often do you use multi-factor authentication on a daily basis? What about weekly? Monthly? How many MFA codes have you entered the past year?
Whether it’s for work, school or just an account we use for fun, many platforms and applications now require more than just a password to log in!
So, why do security experts insist on using multi-factor authentication (which you may sometimes see referred to as two-factor authentication, TFA or MFA) so strictly and for every account?
Types of MFA
Multi-factor authentication adds an extra layer of security to your accounts, making them much more difficult for attackers to compromise. Even if an attacker knows your password, they will not be able to log in to your account without also having access to your MFA factor.
Thankfully, many MFA requirements involve biometric identification, which means using something completely unique to your person—like a fingerprint or face ID. You might also encounter voice recognition and retina scans to verify your identity.
These ID verifications can also protect physical assets, such as by requiring a handprint scan before allowing trusted personnel into a restricted area of the building. Depending on what role you play in your organization, your security clearance level may grant you privileged access to extremely sensitive information, which naturally requires more stringent protection.
The strongest MFA factors combine two or more different methods. For example, using both biometric ID and a one-time password, PIN or security question. One-time passwords may be communicated via text, email or even phone call. Additionally, you might use a mobile app to generate a QR code or one-time password as well.
Still…are these extreme measures really necessary?
Where MFA Falls Short
Unfortunately, the fact remains that no technology is infallible. As long as cybercriminals exist, they will continue to invent new methods and technologies for thwarting even our best defenses! That includes multi-factor authentication.
Some ways that cybercriminals can bypass MFA include:
- MFA Fatigue: Attackers may send the victim a barrage of MFA requests until they accidentally approve one. This can be a very effective attack, especially if the victim is tired or distracted. It only takes one slip-up to lose all your data!
- Man-in-the-middle attacks: Hackers can intercept communication between the you and the service they are trying to access. For example, they could spy on your texts or emails to get the one-time password that they need.
- Session hijacking: Attackers may steal the your online session cookie, which allows the hacker to access that account without having to enter their password or MFA code at all.
- SIM swapping: Phone numbers can be transferred to other SIM cards, which would allow the attacker to receive their victim’s SMS-based MFA codes.
- Exploiting vulnerabilities: MFA systems are not perfect, and thus may contain vulnerabilities exploitable by threat actors. For example, an attacker might exploit a vulnerable MFA app to generate their own OTPs. They can even disable the MFA function completely!
- Malware: Malware can steal MFA codes from your device, and even exploit vulnerabilities in MFA systems on behalf of the threat actor who planted it.
Why We Need MFA
Again, the sad truth is that there’s no such thing as 100% impenetrable technology. Nevertheless, MFA is much more difficult to falsify or break through by force than passwords alone. Thus by using a strong MFA system and being aware of the different types of MFA bypass attacks, you can make it much more difficult for attackers to compromise your accounts.
Protect yourself against attacks meant to bypass MFA!
- Use a strong password manager to create and store unique and complex passwords, with at least 12 characters, for all of your online accounts.
- Enable MFA on all of your online accounts that support it.
- Use the strongest MFA factor available, such as a hardware key or biometric authentication.
- Be careful about clicking on links in emails and text messages, even if they appear to come from legitimate sources.
- Keep your devices and software up to date.
- Use a security solution that can protect you from malware and other online threats.
Protect your accounts with the same ferocity with which hackers are trying to compromise them! MFA is a great tool to have on your side.