Skip to main content
Open menu
Resources & insights

Why MFA isn’t the cyber security silver bullet you think it is

 

You’ve got multi-factor authentication for your organisation’s IT environment. That’s good.

However, it’s important that you don’t rely too much on MFA.

MFA delivers value by reducing your exposure to a range of user identity attacks. It adds another layer of security to your IT environment and is a must-have for organisations with remote or hybrid workforces. However, it should be just one part of your overall cyber security strategy alongside other tools, staff training, partnerships with experts, and more. On its own, MFA doesn’t stand a chance against the sophisticated tactics, techniques and procedures cyber attackers use today.

In this article, we’ll talk about how MFA works and how it helps to improve your security, but also why MFA isn’t the magic remedy for all your cyber security pains. Then, we’ll discuss how to supplement your MFA tool to better safeguard your IT environment. Let’s get started.

What is MFA?

Multi-factor authentication is the requirement for a user to prove their credentials in two or more ways in order to access an IT environment. You’ll be familiar with MFA from many online apps and tools, including online banking, where it’s been in use for years.

MFA works by adding another layer of security to your account. For example, someone could steal your password, but wouldn’t be able to log in without accessing the MFA code texted to your phone. When MFA technology first emerged, it was billed as the surefire way to stop people from breaching accounts using stolen passwords. Unfortunately, it hasn’t worked out that way.

What’s wrong with MFA?

The problem with multi-factor authentication—and the reason it’s not a silver bullet—is a familiar one in cyber security. Whatever the tool, however effective it is at first, attackers eventually catch up and find a way around it. 

Firstly, attackers have developed tools to bypass MFA and manipulate people through sophisticated phishing activities. Tools such as EvilGinx2 allow attackers to replicate the MFA experience (1). EvilGinx2 is a technical tool that is designed to be used to capture both the username and password, plus the MFA code and resulting authentication.

From the user’s perspective, they receive a link that resembles a Microsoft 365 link, they click on it and enter their password, but they’ll still get a prompt on their phone. Once they approve that prompt, the attacker receives the authentication token from Microsoft and is able to loiter in the environment for as long as 28 days. The only thing that the user could possibly have noticed is that the URL for the (supposedly) M365 site is different. Still, if attackers purchase a domain which looks similar enough, the users can be forgiven for not seeing it. In this scenario, MFA hasn’t helped at all.

These ‘Man In The Middle’ attacks have been successful in breaching networks at several well-known tech organisations, including Twilio, a global provider of SMS and telephony, and Cloudflare, a provider of website security and performance. In February 2023, Reddit reported that cyber attackers had stolen employee usernames, passwords and MFA tokens through a sophisticated phishing attack aimed at its employees like the one illustrated above (2). They then attempted to ransom this stolen data back to Reddit for $4.5 million.

Next, cyber attackers have found ways to make their campaigns more efficient. For example, they launch these sophisticated attacks at times when their target organisations are at their most vulnerable. It’s no surprise that so many organisations get breached around Christmas or bank holidays, when many companies let their security people take time off and run a skeleton staff. 

Finally, cyber attackers have realised they can make more money by hacking people rather than systems. Compromising people’s email accounts is very profitable in its own right, allowing attackers to carry out activities, including:

  • Looking for invoices that enable them to commit invoice fraud
  • Emailing all contacts to spread their malicious activities further
  • Selling email access details on the dark web

MFA is little help in the fight against Business Email Compromise, which is another reason it can never be the cyber security silver bullet. While attackers’ techniques and tools continue to evolve, so do the defensive measures available to organisations. While once MFA was considered by many to be the key security measure to protect user identity, it’s now being outshone by more modern and advanced capabilities.

How to stay secure when MFA no longer works

If MFA can’t guarantee protection from attackers looking to compromise your user accounts, how can you be confident you’ve got appropriate safeguards in place?  Even if you have them in place today, how do you know they’re still appropriate tomorrow?

MFA worked (for some time) because it added an extra layer of security to the account login process. When you apply that principle to your entire threat detection strategy, taking a multilayer approach, you’re more likely to succeed.

A good place to start is with the technology. Don’t get rid of your multi-factor authentication, but bearing in mind that hackers can get around it, invest in tools that can detect when someone logs in from a different location from usual. For example, if someone typically logs in from London, but one day logs in from Istanbul, or they’re using a suspect IP address, there’s a good chance they’re not who you think they are. These anomalies are quite simple to spot with AI that analyses login patterns through tools such as “Conditional Access”. You also need the right detective controls in place to identify when someone has been breached by MFA bypass social engineering attacks, like EvilGinx2 from the previous section. This combination can help you be more alert to attackers attempting to infiltrate your system.

Next, turn your attention to your people. After all, most breaches happen when someone clicks on the wrong email attachment or inadvertently gives a cyber attacker privileged information. Ensure your staff members—old and new—are trained to spot potentially suspect emails, login screens, and text messages. This training should also include reacting appropriately when something goes wrong. 

Finally, look at your processes. For instance, how robust are your access controls? Consider locking down system access, so only recognised and trusted devices can access resources. Consider how you cover periods like Christmas when people traditionally take holidays, but are popular times for cyber attacks. In a world where cyber attacks never sleep, you need a 24/7/365 security service that never sleeps either. Partnering with a managed services provider can be an effective way to ensure you’re cyber secure around the clock.

Do I still need multi-factor authentication?

People who deal with defensive cyber security have a tough role in their organisation. They rightly focus on new threats and ever-more-sophisticated techniques for breaching their networks. However, that doesn’t mean the old threats have gone away. Traditional persistent threats continue to be an issue and can’t be ignored.

As a result, while it isn’t the silver bullet, there should always be a place for MFA in your cyber security stack, but don’t rely on it. We talked about conditional access, detective controls and 24/7 response in the previous section, but it is crucial to think bigger still by building out a holistic cyber security strategy, using a recognised cyber security framework such as the NIST and its five pillars:

  • Identify – What types of cyber risks are you exposed to?
  • Protect – How do you effectively safeguard the assets you identified?
  • Detect – How will you find out if there are cyber threats against your assets?
  • Respond – If you detect cyber security threats, does someone respond promptly 24/7?
  • Recover – If a cyber-attack impacts your infrastructure and wider business, how will you fix it and bounce back?

Only then, with an overarching framework covering all your bases, can you begin to feel confident that you’re taking appropriate steps to protect your organisation.

Move away from excessive reliance on MFA with Doherty Associates

At Doherty Associates, we help organisations with the big picture and the practical aspects of cyber security. We can help you develop a security strategy based on the NIST framework that can govern everything you do, but we can also work on the practical side, including:

  • Setting up conditional access and detective controls
  • Ensuring you’re supported 24/7/365 (even at Christmas)
  • Assisting with day-to-day governance, compliance, and regulatory matters relating to your cyber and information security

There is no silver bullet in cyber security, but for guidance in developing a broader and more robust cyber strategy, speak to Doherty Associates first.

Get in touch with us today.


Sources:

1 – https://www.aon.com/cyber-solutions/aon_cyber_labs/bypassing-mfa-a-forensic-look-at-evilginx2-phishing-kit/

2- https://www.theverge.com/2023/6/19/23765895/reddit-hack-phishing-leak-api-pricing-steve-huffman

We’re here to help

If you want to achieve better outcomes for your business through a more intelligent use of technology, talk to us.

Contact us
SERVER 5