Multifactor Authentication (MFA) was developed to help protect unauthorized user logins. In the past, this defense was extremely effective and (contrary to the rumor mill) continues to be effective today. However, hackers continue to develop new approaches to phish users, access credentials, spy on browser activity, and compromise machines. As these cyber threats continue to evolve and mature, your defenses must be one step ahead. In order for MFA to prevail, it must be layered with other defenses. This doesn’t mean that multifactor authentication is obsolete and unnecessary. It does mean that even with MFA, you still must be vigilant.
Multifactor Authentication and Traditional Attacks
One of the most common attacks that MFA is useful against is phishing attacks. Some traditional phishing attacks lure victims in by urging them to “act fast” or take some sort of action that requires clicking a malicious link. The link will direct you to a fake login page most likely hosted on a hacker-controlled web server and custom domains whose names are similar to those of the targeted websites. These attacks are not effective against online services that use MFA, because there is no interaction with the legitimate website which triggers the generation of one-time-use codes. Without those codes, hackers can’t log in with the phished credentials.
New Evolved Attack Methods
To overcome this obstacle, hackers have found a way to have their phishing websites function as proxies. The proxies forward requests on behalf of the victim to the legitimate websites and deliver back responses in real time. Their goal is to not only obtain usernames and passwords, but also active session cookies that the real websites associated with the logged-in accounts. These session cookies can be placed inside a browser to access the accounts they’re associated with directly without the need to authenticate.
If the hacker is able to “hook” you with this method, MFA will not save you and your network could be compromised. This could result in damage to data, business disruptions causing downtime, and reputation and financial loss.
Urgency for Defense-in-Depth
If you are protected and secured on multiple levels in addition to MFA, your overall cyber threat risk will be lowered and the chances of an attack leading to your network being compromised will be lessened. Staying ahead of cyber attacks will forever be an extreme battle, so organizations must ensure they use best practices and deploy multiple tools to protect their employees and networks against these attacks in real-time.
The best defense tactic is to layer tools such as advanced threat detection, next generation firewalls and antivirus, and MFA on top of awareness training. Training users to be vigilant and also to make sure they are authenticating on the correct website with the correct domain name should be a top priority for all organizations. Without this layered approach, you are leaving security holes open for hackers to destroy your livelihood.