Most organizations are still using weak forms of multi-factor authentication (MFA), a survey by Nok Nok has found. These forms of MFA can be bypassed if an employee falls for a social engineering attack.
“72% of organizations still use phishable MFA factors for their customer-facing applications,” the researchers write. “The cost and risk of lost or stolen data, business, and funds from compromised accounts is motivating organizations to make MFA mandatory for their customers. Unfortunately, they haven’t gone far enough and still rely on the weakest forms of phishable MFA: SMS and one-time email codes.”
The survey also found that more than three-quarters of organizations fell victim to account compromises over the past year.
“76% of organizations experienced multiple account or credential compromises over the past 12 months,” the researchers write. “Organizations face a multitude of disparate attack vectors targeting weak authentication methods. Unfortunately, organizations are still not prepared to respond to account or credential compromise, and thus multiple incidents have become the norm.”
Attackers can use brute force attacks to guess passwords, so they’re now focused on defeating multifactor authentication.
“With the availability of low cost cloud CPUs to crack passwords and the prevalence of known accounts/passwords, organizations recognize that passwords are not secure,” the researchers write. “The survey revealed that traditional authentication methods, such as passwords, are not effective in the face of evolving cyber threats [this seems like a conclusion that has already been proven over the past decade. Moreover, legacy multifactor authentication (MFA) such as SMS, one time password (OTP) or email codes, has proven to be susceptible to social engineering and phishing attacks, while introducing user friction and degrading the user experience.”
While any form of multifactor authentication is better than nothing, organizations need to be aware that their employees are vulnerable to phishing attacks. New-school security awareness training can give your organization an essential layer of defense by teaching your employees how to recognize social engineering tactics.