Multi-factor authentication (MFA) – in the shape of push notifications, authenticator apps or other secondary steps – has long been seen as the reply to the growing cybersecurity problem.
But hackers are cunning and clever and are all the time inventing latest ways to breach the MFA fortress.
Today's organizations need even stronger defenses – although experts say MFA remains to be crucial, it should only be a small a part of the authentication process.
“Traditional MFA methods resembling SMS and push notifications have proven vulnerable to quite a lot of attacks, making them almost as vulnerable as passwords alone,” said Frank Dickson, group vp of security and trust at IDC. “The increasing prevalence of sophisticated threats requires a transition to stronger authentication methods.”
Why isn’t MFA enough?
The once-tried practice of counting on passwords now seems old-fashioned.
No matter what sequence of numbers, letters, special characters, or numbers they consisted of, they became really easy to steal because users were careless, lazy, gullible, or overly trusting.
“Traditional passwords are simply shared secrets, not far more advanced than a Roman guard asking for the key code word hundreds of years ago (“Wait, who’s going there? What’s the passcode?”),” said Lou Steinberg, founder and managing partner from CTM Insights.
As Matt Caulfield, VP of Product for Identity Security at CiscoHe told VentureBeat: “Once those were stolen, it was game over.”
MFA became increasingly popular within the mid-Nineteen Nineties to 2000s as more corporations got here online, and it gave the impression to be an answer to traditional passwords. But with digital transformation, the move to the cloud, and the launch of dozens and even a whole lot of SaaS apps, corporations are more vulnerable than ever. They aren’t any longer safely hidden behind firewalls and data centers. They lack control and transparency.
“MFA modified the sport for a very long time,” Caulfield said. “But what we’ve found during the last five years in these recent identity attacks is that MFA is straightforward to defeat.”
One of the most important threats to MFA is social engineering, or more personalized psychological tactics. Because people put a lot of themselves online – through social media or LinkedIn – attackers have free rein to research anyone on the planet.
Thanks to increasingly sophisticated AI tools, stealthy threat actors can create campaigns “at scale,” Caulfield said. They first use phishing to access a user's primary credentials, then use AI-based outreach to trick them into sharing secondary credentials or taking actions that give attackers access to their account.
Or attackers spam the secondary MFA SMS or push notification method, resulting in “MFA fatigue” when the user finally gives in and presses “Allow.” Threat actors also goal their victims by making situations appear urgent or by making them consider they’re receiving legitimate messages from an IT help desk.
In man-in-the-middle attacks, alternatively, an attacker can intercept code during transmission between the user and the provider. Threat actors may also use tools that mirror login pages and trick users into providing each their passwords and MFA codes.
Enter passwordless
The failures of MFA have led many corporations to adopt passwordless methods resembling passkeys, device fingerprinting, geolocation, or biometrics.
Passkeys authenticate users through cryptographic security keys stored on their computer or device, explained Derek Hanson, vp of standards and alliances at Yubicowhich produces the widely used YubiKey device.
Each party must prove its identity and communicate its intent to initiate authentication. Users can log in to apps and web sites using a biometric sensor (resembling a fingerprint or facial recognition), a PIN, or a pattern.
“Users don’t should remember or manually type long strings of characters that could be forgotten, stolen or intercepted,” Hanson said. This reduces the burden on users to make the precise decisions and never reveal their credentials in a phishing attempt.
“Approaches resembling device fingerprinting or geolocation can complement traditional MFA,” explained Anders Aberg, director of passwordlessness at Bitwarden. “These methods adapt security requirements based on user behavior and context – resembling location, device or network – reducing friction while maintaining high security.”
The simultaneous use of devices and biometric data is increasing, Caulfield agreed. When first logging in and verifying, the user shows their face together with a physical ID resembling a passport or driver's license, and the system performs 3D mapping, a variety of “liveness check.” Once photo IDs are verified with government databases, the system registers the device and fingerprint or other biometric data.
“You have the device, your face, your fingerprint,” Caulfield said. “The Device Trust element is becoming far more widespread as a brand new panacea for stopping phishing and AI-based phishing attacks.” I call it the second wave of MFA. The first wave was the silver bullet until it wasn’t.”
However, even these methods should not completely foolproof. Hackers can bypass biometric tools through the use of deepfakes or just stealing a photograph of the legitimate user.
“Biometric data is stronger than passwords, but once compromised it can’t be modified,” Steinberg said. “You can change your password if you want to, but have you ever ever tried changing your fingerprint?”
Use analytics to create resilience
Caulfield identified that corporations are integrating analytics tools and accumulating mountains of knowledge – but should not using it to enhance their cybersecurity.
“These tools generate a variety of telemetry data,” Caulfield said, resembling who’s logging in, from where, and on what device. But then they “send all of it right into a black hole.”
Advanced analytics may also help detect and analyze identity threats, at the same time as they supply a “bridging or fail-safe” after the very fact if attackers bypass MFA, he said.
Ultimately, corporations must have a fail-safe strategy, agreed Ameesh Divatia, co-founder and CEO of a knowledge protection company Baffle. Personally Identifiable Information (PII) and other sensitive data have to be cryptographically protected (masked, tokenized, or encrypted).
“Even if a knowledge breach occurs, cryptographically protected data is useless to an attacker,” Divatia said. In fact, GDPR and other privacy laws don’t require corporations to notify affected parties when cryptographically protected data is leaked because the info itself remains to be secure, he identified.
“Resiliency simply signifies that if a number of of your cybersecurity measures fail, your data remains to be protected,” Divatia said.
There’s a reason it’s called “multifactor.”
However, that doesn't mean MFA will disappear completely.
“Broadly speaking, the hierarchy of authentication starts with MFA because weak MFA remains to be higher than not having it in any respect, and that shouldn’t be missed,” Dickson said.
As Caulfield identified, it's called multi-factor authentication for a reason – “multi” can mean anything. Ultimately, it might be a mixture of passwords, push notifications, fingerprint scans, physical ownership of a tool, biometrics or hardware and RSA tokens (and whatever develops next).
“MFA is here to remain, the definition now’s just 'How good is your MFA?' Is it easy, sophisticated or streamlined?” he said. Ultimately, nevertheless, he emphasized: “There won’t ever be a single factor that is totally protected by itself.”