Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Most Organizations Using Weak Multifactor Authentication

    Phishable Methods MFAMost organizations are still using weak forms of multi-factor authentication (MFA), a survey by Nok Nok has found. These forms of MFA can be bypassed if an employee falls for a social engineering attack.

    “72% of organizations still use phishable MFA factors for their customer-facing applications,” the researchers write. “The cost and risk of lost or stolen data, business, and funds from compromised accounts is motivating organizations to make MFA mandatory for their customers. Unfortunately, they haven’t gone far enough and still rely on the weakest forms of phishable MFA: SMS and one-time email codes.”

    The survey also found that more than three-quarters of organizations fell victim to account compromises over the past year.

    “76% of organizations experienced multiple account or credential compromises over the past 12 months,” the researchers write. “Organizations face a multitude of disparate attack vectors targeting weak authentication methods. Unfortunately, organizations are still not prepared to respond to account or credential compromise, and thus multiple incidents have become the norm.”

    Attackers can use brute force attacks to guess passwords, so they’re now focused on defeating multifactor authentication.

    “With the availability of low cost cloud CPUs to crack passwords and the prevalence of known accounts/passwords, organizations recognize that passwords are not secure,” the researchers write. “The survey revealed that traditional authentication methods, such as passwords, are not effective in the face of evolving cyber threats [this seems like a conclusion that has already been proven over the past decade. Moreover, legacy multifactor authentication (MFA) such as SMS, one time password (OTP) or email codes, has proven to be susceptible to social engineering and phishing attacks, while introducing user friction and degrading the user experience.”

    While any form of multifactor authentication is better than nothing, organizations need to be aware that their employees are vulnerable to phishing attacks. New-school security awareness training can give your organization an essential layer of defense by teaching your employees how to recognize social engineering tactics.

     

    Return To KnowBe4 Security Blog

    12+ Ways to Hack Multi-Factor Authentication eBook

    All multi-factor authentication (MFA) mechanisms can be compromised, and in some cases, it's as simple as sending a traditional phishing email. Want to know how to defend against MFA hacks? This eBook covers over a dozen different ways to hack various types of MFA and how to defend against those attacks. 

    12 Ways MFA EBookYou will learn more about:

    • Two-factor authentication basics
    • How to hack two-factor authentication
    • How to best protect your organization from cybercriminals

    Get the eBook

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://info.knowbe4.com/12-way-to-hack-two-factor-authentication

    Topics: Social Engineering, Phishing, MFA

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews