Skip to content
Multi Factor Authentication

Multi Factor Authentication MFA

Protect Your Accounts

The simplest and most important thing you can do when trying to protect your accounts from being hacked is using multi-factor authentication (MFA).

One of the most common ways that cyber criminals access computer networks is by guessing or stealing passwords. Even if they guess a weak password, many systems will assume it’s correct and grant them access, so long as the password is real.

With MFA in order for a user to get into their account after being hacked, they also need code from a physical device like an SMS or a security key from an app or other hardware device. If not, the system won’t let the user log in and they can’t access their account.

Multi Factor Vulnerabilities

MFA is a very effective way to protect access to your accounts but recently there has been an increase in attacks trying to get past the additional authentications of MFA. Many organisations are not sufficiently protected against attempted account takeovers, such as those that evade MFA. In the past year alone, 10,000 organisations were targeted according to Microsoft.

One solution for hackers who are looking to work around MFA is to use what’s called an ‘adversary-in-the-middle’ attack. This hack is a combination of a phishing attack and a proxy server between the victim and the site they are trying to login to. The attackers can steal the password and the session cookie, which allows them the additional security to exploit the account, in this case by stealing emails. Essentially, it still seems like the user has logged in to their account as usual. The attacker gets authenticated to a session on your behalf, regardless of whichever method you use to authenticate.

Attackers are bypassing multi-factor authentication essentially by stealing cookies to an active session rather than actually attacking the MFA itself. While multi-factor authentication is usually a solid defence (and much better than passwords alone), these cases show that it’s not infallible.

Although MFA adds an extra layer of security, it should not be viewed as a bullet proof shield for traditional and advanced phishing attacks. Sometimes access to a phone number or email address will bypass the security of multi-factor authentication. This can be done by tricking or manipulating a person, even if the technology tries to protect them.

It is possible for an attacker to gain access to these codes. For example, with SMS verification many people are required to input a code that is sent by text to their phone. In some cases, the user will have to read out the code over the phone or input it into a website.

Cyber criminals can also spoof services that require a code, such as SMS verification.  Another way hackers can bypass MFA is by using trojan malware that watches a user to get their code and then access their account. For example, the hacker could use the trojan to gain access to the account and use it to gain full access to the user’s information.

The Future of MFA

According to a new study, almost 96% of all passwords are vulnerable to hacking. Even if your account is hacked, using multi-factor authentication significantly cuts down on two-thirds of the attempted hacks. But as AI becomes more advanced, it’s important to protect your account with a second layer of security.

However, technology can only do so much and we must prepare for the possibility of people being manipulated. This is important because more of what we do will transfer to cloud services and people are always inherently vulnerable unless properly educated on the risks.

Hardware-based two-factor authentication is the next step in securing your online accounts. This type of security uses physical tokens to provide a higher level of security than traditional MFA solutions.

If you need help or advice related to this topic please get in touch with us here