I’m excited to announce the release of my 12th book, Hacking Multifactor Authentication.
Most people think using multi-factor authentication (MFA) makes them impervious to hacking, but that simply isn't true. The book covers over 50 ways to hack MFA, including many as simple as a phishing email. The book begins by explaining why passwords are so bad and why MFA is supposedly coming to the rescue. It then covers all the ways anyone can hack various MFA products. Any MFA solution can be hacked at least 4-5 ways and most over ten ways. If you’ve been told or read that using MFA makes you far less likely to be hacked you’ve been lied to. MFA is good, but if you've been told you can relax your defenses you'll be worse off in the end.
The book discusses how MFA works behind the scenes, how it can be hacked, and what developers and end-users can do to make their MFA solution as resistant to hacking as is possible. It covers all the various types of MFA solutions, gives a framework for threat modeling and penetration testing various MFA software and hardware, and gives a checklist anyone can use to help them pick the right MFA solution for their organization. It even covers when additional security is too much security and picks winners and losers in the MFA world. Hacking Multifactor Authentication is the first book to focus solely on MFA authentication and security, including all strengths and weaknesses. It cuts away the marketing hype and will make any reader an MFA security expert.
To be clear, MFA does significantly cutdown on many types of hacking. For example, if you don't have a password (and use MFA instead), any phishing attack asking for your password is not going to work. But there is a huge difference between saying that MFA makes many forms of hacking less likely to succeed and that MFA makes it unlikely you'll be hacked. In fact, once hackers know you use MFA, you can even be tricked easier if you aren't aware of the potential attack types. The key to using MFA correctly, is to make sure you use a good MFA implementation and solution and to educate the end-users about the various types of attacks against they that may still be successful. An educated security user is a better and more secure user.
Check out my LinkedIn article here. Happy Reading!