KnowBe4
By Roger A. Grimes, Data-Driven Defense Evangelist, KnowBe4
The average person thinks that using multifactor authentication (MFA) makes them significantly less likely to be hacked. It is simply not true! Ninety to ninety-five percent of MFA can be bypassed with a simple phishing email that was no harder to construct than a phishing email that steals passwords.
U.S. Government Says To Use Phishing Resistant MFA
Since at least 2017, the U.S. government, in NIST Special Publication 800-63, the Digital Identity Guides, and again in U.S. Presidential Executive orders in 2021 and 2022, have said no one should be using easily phishable MFA, yet most people do.
Here is an example of a more recent U.S. government warning. It is pretty clear. In a clarifying memo to President Biden's 2021 executive order #14028, the government states:
"For routine self-service access by agency staff, contractors and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, such as protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications."
On May 17 of this year, CISA, in Alert (AA22-137A), Weak Security Controls and Practices Routinely Exploited for Initial Access stated:
"Implement MFA. In particular, apply MFA on all VPN connections, external-facing services, and privileged accounts. Require phishing-resistant MFA (such as security keys or PIV cards) for critical services."
So, there you go. The U.S. government, over and over, is telling its agencies, and really, the whole world, "Stop using any MFA solution that is overly susceptible to phishing, including SMS-based, voice calls, one-time passwords (OTP) and push notifications!"
Unfortunately, easily hackable, easily phishable MFA is the vast majority of MFA used today.
To be clear, there are more resilient types of MFA, and everyone should be using those when they can (if they have a choice). But for reasons that are not clear, the most popular solutions are the most hackable ones.
I wrote a book on hacking MFA called, straight to the point, Hacking Multifactor Authentication. In it, I discuss over 50 ways to hack MFA. I (and really, anyone) can hack any MFA solution, even the best and most secure solution, at least a handful of different ways. Most can be hacked over 10 ways.
I will be presenting a bunch of ways, including recorded hacking demos, how most MFA solutions can be easily hacked, on August 10, 2022, at Black Hat U.S. from 12:40-1:30 p.m. Come see how your favorite, most popular MFA solution can be easily hacked and which MFA solutions are more resilient to attacks.
Other Related Articles by the Author
Don't Use Easily Phishable MFA and That's Most MFA!
www.linkedin.com/pulse/dont-use-easily-phishable-mfa-thats-most-roger-grimes
My List of Good, Strong MFA
www.linkedin.com/pulse/my-list-good-strong-mfa-roger-grimes
U.S. Government Says to Avoid Phishing-Resistant MFA and Why Is the Majority of Our MFA So Phishable?
www.linkedin.com/pulse/why-majority-our-mfa-so-phishable-roger-grimes and blog.knowbe4.com/u.s.-government-says-to-avoid-phishing-resistant-mfa