Why MFA Alone Isn’t Enough for True Cybersecurity
By Bojan Simic, Co-Founder, Interim CEO & CTO, HYPR
Multi-factor authentication (MFA) was once a foreign terminology, but today, with the myriad of hacks and data breaches dominating headlines, it’s fair to say that most individuals now see MFA as a no-brainer – for now. When thinking about MFA, both companies and consumers alike consider it to be a safer, more secure option. And while that isn’t necessarily untrue (as it is safer than single-factor authentication), it doesn’t bypass the increasingly large password issue developing across digital mediums. In fact, despite widespread MFA adoption, account takeover fraud generated a $3.3 billion loss in 2020.
Ever since the “password” was invented in the 1960s, it has been a topic of contention. The intent is always positive; but the efficacy is an ongoing debate – especially with the pace at which technology is evolving.
As it stands today, there are three different kinds of MFA, the first being One-Time Passwords (OTP). OTP is a string of digits that are provided to a user via an app after they have entered a username and password; however, OTP is still based on passwords (it’s in the name, after all!) and is therefore subject to MFA phishing, mobile malware, and keyloggers.
The second kind of MFA is SMS two-factor authentication (the most common OTP delivery method today), wherein OTP is delivered to a user’s smartphone via text. Again, due to error or malicious activity, OTP can be delivered to the wrong mobile number or a stolen mobile phone or intercepted via SS7 network attacks. In fact, the National Institute of Standards and Technology (NIST) stopped recommending the use of SMS as a strong second factor back in 2016!
And finally, PUSH authentication is another mobile-centric authentication method whereby the service provider sends the user a notification to their mobile phone. The user then has to tap the screen to get access to the account. And while PUSH authentication can be used as part of a passwordless system if the solution is built upon PKI or certificate-based authentication, most PUSH authentication is an MFA mode layered on top of additional shared secrets, including (you guessed it) a password.
Unfortunately, many hackers have learned how to bypass traditional MFA, including intercepting, phishing and spoofing SMS text messages; many also engage in SIM swapping, wherein a hacker impersonates the target to dupe a wireless carrier employee into porting the phone number associated with their SIM card to a new (malicious) device. Moreover, there are also new tools – e.g., Modlishka – that automate phishing attacks that bypass MFA. It couldn’t be easier for hackers nowadays.
So, the question is, how do we move away from passwords yet still ensure enterprise-level security?
Every individual today is experiencing a certain level of MFA fatigue, then add the fact that every business, big and small, is maneuvering through the complex authentication landscape, while now managing the IT challenges of remote work. In fact, enterprise IT helpdesk departments spend more than 30% of their time helping users with password and access issues, which prevents them from making progress on innovative projects that ultimately move the business forward. So, despite being mandated, MFA still carries a level of resistance.
The solution? Marrying MFA with passwordless authentication. In short, combining MFA technology with a biometric login (think facial recognition). This concept removes any type of shared secret and eliminates the transmission or storing of credentials, thus removing the “man in the middle” and reducing the attack surface. By simply using a smartphone, security key, or platform authenticator, users can securely log into a workstation and corporate domain, without ever typing in a password. Passwordless authentication removes user frustration while ensuring the highest level of password security – by eliminating the password altogether. Leading companies such as Aetna/CVS Health, most major banks in the United States, airlines and insurance companies have all adopted passwordless technologies.
Moving forward, passwordless authentication will certainly be the norm, particularly since the Federal Financial Institutions Examination Council (FFIEC) recently issued a guidance on effective authentication and access risk management practices for the various parties that access financial institution services and systems. Microsoft, in particular, is taking the lead in incorporating this technology and making it non-negotiable for entities with data to secure (or, all entities). In fact, a Digital Defense Report recently distributed by Microsoft shows continued attacks from other nation-states that weren’t necessarily via exploitations of software, but rather well-known techniques such as password spray and phishing. This just highlights how vulnerable most organizations are to attacks, and how widespread the antiquated use of passwords is amongst the population.
With the number of digital touchpoints increasing for companies across the board, MFA alone – and MFA rooted in password security – will continue to become less and less secure for both brands and consumers. With countless pieces of data and dollars to lose, neither party can afford to put their information at risk. Under the FFIEC’s guidance, and with Microsoft at forefront, Passwordless MFA is the way of the future.
About the Author
Bojan Simic is the Interim CEO, Chief Technology Officer, and Co-Founder of HYPR. Previously, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modeling, and penetration testing. Bojan has a passion for deploying applied cryptography implementations across security-critical software in both the public and private sectors. His extensive experience in decentralized authentication and cryptography has served as the underlying foundation for HYPR technology. Bojan also serves as HYPR’s delegate to the FIDO Alliance board of directors, empowering the alliance’s mission to rid the world of passwords.
Bojan can be reached online on LinkedIn, Twitter and at our company website https://www.hypr.com.
FAIR USE NOTICE: Under the “fair use” act, another author may make limited use of the original author’s work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material “for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner’s exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.