Using multi-factor authentication (MFA) is one of the best ways to help keep your online accounts secure. While MFA can be defeated (since no tool is 100% perfect), the extra step creates a roadblock that may make a cybercriminal more likely to move on to the next target. Here’s what to know about MFA, how hackers try to bypass it, and how to identify an MFA scam.
Using MFA, an attacker needs more than just a username and password to gain access to your accounts or devices.
When you turn on MFA for a service you change the security requirements. MFA forces you to provide at least two proofs of identity when accessing a secure service for the first time on an unknown device.
Those two forms of authentication can come from any combination of at least two of the following elements:
- “Something you know,” such as a password or PIN
- “Something you are,” such as a fingerprint or other biometric ID
- “Something you have,” such as a trusted smartphone that can generate or receive confirmation codes, or a hardware-based security device
For the most part, the MFA systems today use the first item (your password) and the last item (your smartphone).
Authentication methods include receiving a code via text message, using an authenticator app on your phone, or even receiving a phone call where you press a key for authentication.
How the authenticator app works is interesting. The process is governed by a well-accepted standard that uses the Time-based One-Time Password algorithm (TOTP). That algorithm uses the authenticator app as a sophisticated calculator that generates codes using the current time on your device and the shared secret. The online service uses the same secret and its own timestamp to generate codes that it compares against your entry. Both sides of the connection can adjust for time zones without problem, although your codes will fail if the time on your device is wrong.
How Attackers Can Bypass MFA
There are several ways attackers can bypass MFA, including hacking your phone and prompt bombing.
If you receive a code via text message, cybercriminals can access that code if they’ve hacked your phone using a sim-swap. In this scenario, a hacker could employ any number of methods to change victims’ phone numbers so that any subsequent messages or phone calls – for instance, one with an MFA code – would be redirected to the new phone. That’s one reason experts are increasingly urging a move away from SMS.
If you use an authentication app on your phone, be aware of prompt bombing. This often takes the form of receiving multiple notifications to confirm MFA with a touch of a button on your phone, but not always.
Methods of prompt bombing include:
- Sending a bunch of MFA requests and hoping you finally accept one to make the noise stop.
- Sending one or two prompts per day. This method often attracts less attention, but still increases the odds that you’ll accept the request.
- Calling you, pretending to be part of your company or tech support, and telling you they need to send an MFA request as part of a company process.
There are even phishing toolkits that can be used in man-in-the-middle attacks to sneak past authentication protections. This is yet another reason to be extra careful with the emails and texts you open and the sites you visit.
If You Suspect an MFA Scam
Only confirm MFA if you’re initiating the sign-in. If you receive an MFA notification for an account you’re not trying to sign in to, immediately change your password for that account.
Why Using MFA is Worth It
It’s estimated that implementing MFA can block 99% of automated attacks. Yes, using MFA adds an extra step and can be frustrating. Still, the minor inconvenience far outweighs the time and expense of recovering from a major loss.
Use MFA on every online account you can, including social media, password managers, financial services, Microsoft, Google, email, and even shopping and online commerce accounts where you’ve saved a credit card number.
If nothing else, the extra effort to try and defeat MFA may cause an attacker to choose someone else. That alone makes it worth it.
If you’d like to know more about how CRU Solutions can help keep your business safer, contact us.
FAQs
By discovering one password, access can potentially be gained to multiple accounts for which you might have reused the password. Multi-factor authentication acts as an additional layer of security to prevent unauthorized users from accessing these accounts, even when the password has been stolen.
Why should you use multi-factor authentication (MFA)? ›
In addition to protecting against security weaknesses or compromised login information, enabling MFA also helps protect online accounts from phishing attempts. A phishing attempt is an email that tries to obtain confidential information like credit card numbers, usernames or passwords.
Why is multi-factor authentication MFA a more secure alternative with regards to digital safety? ›
By combining multiple factors and verifying the identity of the user for each one, MFA helps to ensure that only legitimate users are accessing sensitive areas. MFA is being widely adopted by more and more services and platforms, to ensure data protection and reduce the risk of data breaches.
Why is it a good idea to use two factor authentication? ›
2FA is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that's no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.
What is the justification for multi-factor authentication? ›
Multi-factor authentication (MFA) makes your data harder to steal by cybercriminals. It only allows access to a service when you present two or more forms of authentication, reducing the possibility of an attacker compromising an account.
Why is multifactor authentication more secure than single factor authentication? ›
With multi-factor authentication, users are required to provide more than one piece of verifiable information to authenticate. MFA was designed to add additional layers of security to sensitive information. Note that 2FA is also considered MFA because more than one credential is required to sign on.
How does MFA help keep your account safe? ›
It was developed to add extra security steps to the login process, to keep your accounts safe. It means that users are properly verified before they can gain access to accounts. MFA uses multiple different categories of validation to verify users' identity, more than the two commonly used for most accounts.
Why do you think MFA works better than traditional styles of authentication? ›
MFA adds an extra layer of protection by requiring additional verification factors, making it much more difficult for attackers to gain unauthorized access to your accounts or systems. Moreover, with the rise of remote work and cloud computing, the need for robust authentication measures has become even more critical.
Will enabling multi-factor authentication MFA increase your secure score? ›
The security control that contributes the most to your secure score is Enable MFA. The following recommendations in the Enable MFA control ensure you're meeting the recommended practices for users of your subscriptions: Accounts with owner permissions on Azure resources should be MFA enabled.
What is better than multi-factor authentication? ›
Passwordless authentication is typically considered faster and more convenient than MFA. Users don't have to commit passwords to memory and only have to use one method of authentication.
By discovering one password, access can potentially be gained to multiple accounts for which you might have reused the password. Multi-factor authentication acts as an additional layer of security to prevent unauthorized users from accessing these accounts, even when the password has been stolen.
What is the benefit of factor authentication? ›
The primary objective of multi-factor authentication is to reduce the risk of account takeovers and provide additional security for users and their accounts. Since over 80% of cyber breaches happen due to weak or stolen passwords, MFA can provide added layers of security necessary to protect users and their data.
How does 2 factor authentication help protect you more? ›
2FA protects against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials. This dramatically improves the security of login attempts.
How effective is multi-factor authentication? ›
And even if you have a complex password, bad cyber actors unfortunately still have ways of getting past it. Using Multi-Factor Authentication (MFA) is a powerful way to protect yourself and your organization. The use of MFA on your accounts makes you 99% less likely to be hacked.
What is the objective of using multi-factor authentication? ›
The goal of MFA is to create a layered defense that makes it more difficult for an unauthorized person to access a target, such as a physical location, computing device, network or database.
Why is MFA important for your business? ›
By implementing MFA, you add extra layers of verification, significantly reducing the risk of unauthorized access and data breaches. MFA enhances business security by securing sensitive information, preventing unauthorized access, and mitigating password-related attacks.
What are the benefits of MFA and SSO? ›
How do MFA and SSO improve overall security? MFA adds layers of verification, making unauthorized access harder, while SSO reduces password vulnerabilities and enhances convenience.
What is the reason access requires MFA? ›
To help partners protect their businesses and customers from identity theft and unauthorized access, we activated more security safeguards for partner tenants. These safeguards mandate and verify MFA. Mandating MFA helps partners to secure their access to customer resources against credentials compromise.
