Phishing, man-in-the-middle and key logging malware can now foil SMS/mobile- or password-based authentication systems. Time to bust some MFA myths!

Despite the ever-increasing volume of cyberattacks, many organizations are still using legacy authentication methods, such as passwords or mobile-based authenticators, to secure access to sensitive applications and data.

However, as the methods used by cybercriminals become more sophisticated, legacy methods will not offer the best security. Receiving a personal identification number (PIN) or passcode via SMS; or simply using usernames with passwords alone, is highly susceptible to phishing attacks, man-in-the-middle attacks, and account takeovers.

Furthermore, these methods do not offer the best user experience and are not phishing-resistant. The belief that mobile authentication is secure is a key misconception related to mobile-based authenticators. While using them is better than having no two-factor authentication (2FA) or multi-factor authentication (MFA), the reality is that mobile authenticators can still be phished, even if some are more secure than others.

MFA myths

It is time for more organizations to step back and ask: are current authentication methods as secure as they should be? Are they phishing resistant? What is it really costing the organization? 

The immediate impact of the pandemic may have caused organizations to choose the quickest route to get users set up with 2FA/MFA, leveraging mobile authentication methods such as SMS-based one-time passwords (OTP) or authenticator apps because they were easy to deploy and supported by the ubiquity of mobile devices.

Yet today, organizations continue to experience cyberattacks that penetrate their defenses. What is happening? How is it that organizations are spending more to support 2FA and MFA without a net benefit in security? Here are the facts:

  • Research by Yubico has found that the average firm lost US$5.2m annually in productivity due to account lockouts; and password costs such as these only represent the first factor in 2FA and MFA.  While mobile authentication is inexpensive to roll out, most organizations can experience hidden costs, productivity losses, and support issues.
  • For example, if you are requiring your employees to use mobile-based MFA, you may have to take on the costs for that device; recurring service costs; enterprise device management software and more.
  • Phishing attacks are not always obvious. In fact, most employees have no idea that they have been phished or that credentials have been successfully intercepted because there are convincing emails such as those that  request you to log in or reset login details on sites that look legitimate, but are far from it. Modern phishing attacks can intercept username and password combinations as well as an OTP.
  • It may seem far-fetched, but few organizations are aware of the fact that SMS-based OTP only blocks about 76% of today’s targeted attacks. In fact, only 22% of respondents surveyed by Yubico were aware that security issues such as these even existed with SMS-based authentication. 

A hard solution may be the key

With the myths around the security of mobile-based MFA now made clear, a long-term strategy is needed that recognizes the importance of security, cost, and user experience, among other factors.

Whether an organization company is already using mobile authentication or is actively considering authentication solutions to strengthen security, it is important to understand that MFA is a spectrum and that not all MFA is created equal. 

Legacy authentication methods such as usernames and passwords do not offer much in the way of security, and actually come with a pretty hefty support cost (Forrester estimates US$1m).

One alternative solution that supports strong 2FA, MFA, and passwordless authentication while offering better cybersecurity and user experience is hardware-based solutions supporting USB-A, USB-C, Lightning connectors and even NFC and Bluetooth.

Until the world moves away from legacy mobile-based MFA solutions or finds ways to plug the security gaps, businesses may have to look for hardware alternatives to ensure that every user and customer is always protected.