Whilst multifactor authentication (MFA) is better than single-factor authentication (i.e., only a username and password), cybercriminals are finding ways to bypass it making it less secure than many think.
And there have been some high profile cases where criminals were able to get around a company’s MFA systems. For example, several Twilio employees were duped into giving their credentials to fraudsters in phishing scams, and even EA Games’ IT team was tricked into giving a MFA code to a hacker to grant them access to the corporate network.
Why MFA is not as secure as you might think
There are a couple of reasons why MFA might not be as secure as you think. Firstly, it often relies on systems that can easily be hacked themselves – for example email or SMS – or on devices that could be lost or stolen.
Secondly, MFA relies on human involvement. And, as we know, humans can be manipulated using social engineering to give away important information and data. They can also get easily frustrated by too many layers of security to do a seemingly simple task, and therefore let their guards down. This is something hackers can exploit by, for example, MFA prompt bombing which can annoy users into giving access to make the notifications stop.
Solutions to prevent MFA workarounds
The easiest way to make MFA more secure is to take the human out of the picture, for example with phishing-resistant MFA. This ultimately means getting away from one-time passcodes sent via email or SMS, and relying on cryptographic techniques, such as an asymmetric pair of private and public keys, biometrics or the FIDO2 standard.
Nothing is 100% hack-proof though, so it’s also important to educate employees on the importance of using MFA properly (and widely across different systems), and to make them aware of how hackers can manipulate them to workaround MFA.