Out with the old and in with the improved: MFA needs a revamp

From AI to ZTA (zero-trust architecture), the technology responsible for protecting your company’s data has evolved immensely. Despite the advances, cybercriminals repeatedly find new and creative ways to gain access to sensitive information. This can result in devastating consequences, making it key for leaders in the industry to proactively think about threats.

One of the key areas where cyber protection will continue to evolve in 2024 is multi-factor authentication (MFA).

MFA comes highly recommended, and for good reason

MFA has bee a tried-and-true solution for years. That’s because it combines two identification factors – something you know (your password) and something you have or are (a key card or fingerprint) – to implement an additional layer of security.

With MFA in place, when a hacker gets a hold of your account credentials, they cannot fulfill the additional identification requirement, meaning their ability to breach the system is dead in the water. For all intents and purposes, incorporating MFA is standard best practice when it comes to protecting your data.

Still, while this additional protection is certainly helpful, it is not perfect. We’ve seen lately a surprising number of high-profile social engineering attacks that result in MFA bypass.

An MFA bypass can be achieved through various strategies, all possible because of one key element: human error. To circumvent the MFA barrier, cybercriminals will often send phishing emails to encourage the victim to approve the log in or even get them to send an MFA code directly to the hacker. Flooding the victim with MFA codes as seen during MFA fatigue attacks can be as effective as performing a SIM swap attack on SMS-based MFA.

A more advanced technique of bypassing MFA involves the hacker directing the victim (via phishing messages) to a fraudulent website that will prompt the user to log in on the fake site or the real site through a proxy controlled by the attacker. Once the login is complete, the attacker takes the session cookie from the real site – no secondary authentication is needed. While this strategy requires a more experienced threat actor, it is growing in popularity because of its highly effective nature.

For more dedicated cybercriminals, there are other ways to be perceived as trustworthy and get the information they need. Picture this: you receive an email from the IT helpdesk at your company – the person gives you instructions to fix something you complained about and sends you on your way. The next day, he reaches out to you again, but this time he needs your help. He asks you for an MFA code, citing that you should have received it for a standard internal test. You happily provide it to him and (unknowingly) give the cybercriminal access to the company’s data. In this story, your IT manager was the first victim of phishing. While not extremely common yet, this is one of the many creative strategies that attackers have started using to bypass MFA.

What can we expect in the new year?

The long and short of it is that MFA is not un-hackable. While it is a fantastic security tool that puts up barriers for cybercriminals and will only continue to improve, user error will always remain a risk.

Phishing-resistant MFA technology is already becoming more widely used and as the name suggests, it uses identification methods that are less susceptible to MFA phishing attacks.

This updated MFA technology allows the user to log in to a platform by receiving a specific token or code that is not accessible on another device and is bound to the user’s specific session, making a great protection tool even more secure. Combined with zero trust access (ZTA) and user entity behavior analytics (UEBA) solutions, it can increase resilience. Over the course of the year, we will be seeing more businesses utilizing this technology to combat creative hackers and better improve their overall security.