Reinforcing Multi Factor Authentication

The password is barely holding on. Its flaws were once again exposed in a recent ransomware attack on casino operator MGM in 2023. The damage was significant, with $100 million lost due to the breach. Now, Google has noted the password’s vulnerabilities and has taken steps to ensure its apps will be “passwordless by default”.

So as the password slowly abdicates to a new heir, which specific alternatives are shaping up to take its place? Multi-factor authentication (MFA) has been rapidly adopted by organizations to help reduce the opportunities for breaches. But MFA brings its own considerations that must be addressed.

The threat posed by MFA fatigue

MFA has proved both popular and effective among adopters. Layers of security means that users must provide evidence on two or more occasions to achieve access. This makes it harder for bad actors to circumvent these layers, but they are constantly devising new ways to try and get round them. MFA fatigue is a form of social engineering in which an attacker, via automated or manual methods, manages to inundate a user with MFA prompts until they approve the sign-in request.

There’s a simple methodology behind an MFA fatigue attack. If faced with hundreds of notifications to approve logins, users are likely to believe that this is a re-authentication request for a current session, or simply an accident, and will approve it. They may also accept numerous notifications out of frustration to ensure they no longer receive them. Bad actors can then access the account. Adversaries often pretend to be a member of an organization’s IT or tech support team, leading users to believe that nothing is amiss when contacted

Additional threats to MFA deployments

Unfortunately for organizations, MFA fatigue is not just the only avenue for attackers. Although other methods do require considerable time and effort to execute, the most sophisticated criminals could resort to SIM-swapping or man-in-the-middle proxying.

Social engineering also poses a threat. This is where bad actors acquire a user’s phone number and intercept texts, which may include MFA codes, to get in to their accounts. Last year, the CISA called for improved SIM swapping protections and a shift towards a password-free future due to the attacks by LapSus$ on major companies such as Nvidia, Samsung, Ubisoft, T-Mobile, Uber and Microsoft. Man-in-the-middle proxying attacks involve proxy websites, which look like the real thing, used to gather sign-in credentials from unaware users.

Related:   World Password Day Special

Reinforcing MFA strategies

With MFA superseding passwords, organizations must shore up their security measures. Phishing resistant methods such as ‘number matching’ add an additional step to the authentication workflow. A number is presented on the login screen, which must be entered by the user when approving the MFA prompt. More defined thresholds within monitoring tools can also be set to block excessive and suspicious requests.

It’s also critical to keep tabs on any user credential leaks. Other telltale signs of suspicious activity may include impossible travel and sign-ins from unfamiliar places, alongside suspicious IPs or devices unapproved by the business. Organizations may consider hardware security keys or alternative secure methods to mitigate the risk posed by push notifications. However, this approach does raise concerns in terms of inconvenience to the user and associated costs.

Solutions to provide support

MFA integrations with sufficient protections provide significant value, but it’s not something that can be implemented in a day. It’s also unlikely to work in conjunction with operational technology that is 20 or 30 years old and will probably remain in use for the foreseeable future. To ensure effective protection against the latest techniques that cybercriminals are devising, detection and response strategies, supported by a Security Operations Center (SOC), are a necessity.

Tackling security vulnerabilities at source requires human-driven solutions. Extended Detection and Response (XDR) for example is key to ensuring long-term resilience. Making use of a modern SOC can also help organizations to respond rapidly to any changes and emerging threats.

Security to stay ahead of threats

Passwordless systems and MFA are rapidly gaining traction as the password’s time grows short. But the journey towards robust MFA implementation isn’t so straightforward as a 24-hour implementation. MFA fatigue and other sophisticated evasion tactics are more often being deployed by cybercriminals to evade these new solutions.

Organizations must now be vigilant in their adoption of MFA strategies. They can reinforce these deployments with phishing-resistant measures, enhanced monitoring protocols and other secure systems, such as hardware security keys. But cybersecurity shouldn’t stop there. MFA should also be an element of a much wider cybersecurity ecosystem, which should bring together advanced technology, vigilant monitoring and human-driven processes to stay ahead of the latest threats.

Head of Offensive Security at 

One thought on “Reinforcing Multi Factor Authentication

  • Untold tech Verizon v.s Caller ID Screener dedicated to consumers and advertisers secure phone tech tool. Stems from Verizon 2003 plea to Supreme Court blocking consumers and rivals secure phone tech tool that falling under the Telecom Act of spawned a wave of antitrust lawsuits filed.


Leave a Reply

Your email address will not be published. Required fields are marked *