Featured image
Truesec pattern
Blog
2019-10-14

Is Multi-Factor Authentication Being Defeated?

Jenny Pihl
2 min readJenny Pihl
Share

FBI issues a new cyber attack warning writes Zak Doffman for Forbes Media, October 7, 2019. Until now Multi-Factor Authentication has been considered the top defense against similar cyber attacks. Even Microsoft states that they block 99% of enterprise account hacks. To learn more about this, we asked Truesec's identity guru Hasain Alshakarti to clarify a few things.

Hasain, you are always up do date with the latest security issues. Is Multi-Factor Authentication (MFA) really outdated?

No, attackers will try to find an easier path to the target when the authentication method is hardened with MFA. They will effectively bypass the hardened attack surface by targeting the user using other methods.

Hasain Alshakarti expert at Truesec
Hasain Alshakarti,
security expert at Truesec

What's your opinion about MFA? Pros and cons?

MFA effectively prevents a large number of password-related attacks making it virtually impossible to abuse user credentials without user interaction. Phishing, spearphishing, keyloggers, credential stuffing, brute force, and other attacks get more difficult to impossible to perform as MFA adds additional layers of security.

The main difficulties with MFA are the need for yet another device, application, or other sensors as well as the added cost of these components. Furthermore, organizations with multiple types of users will most often be forced to use a combination of methods to provide MFA to different types of users.

When evaluating the user experience we often find users describing MFA as bothersome and unfriendly due to the added number of factors required to perform and authentication.

What's your key taking from the FBI's warning?

MFA is just one layer of security and we need to work with different layers to provide prevention against highly sophisticated and persistent cyber-attacks. Another important action is to secure all possible access methods with MFA or equivalent protections.

How do you work with clients to implement MFAs or similar identity solutions?

Different needs require different solutions and we know that using risk detection to trigger additional MFA factors is a very effective method to make MFA less bothersome. The dynamic model helps to educate the users to understand risky behaviors as well as make MFA more friendly with a high level of security and ability to detect attacks. It's important to understand the requirements together with our clients and evaluate the different options to find the best working combinations of security and user-friendliness.

Thank you so much for your answers and sharing your knowledge, Hasain!

If you want to continue discussing this matter with Hasain, connect on social media. @alshakarti on Twitter or connect on LinkedIn.

Stay ahead in cyber

Join 1000+ other cyber professionals and get our regular updates with cyber knowledge and technical know-how.