We’ve written a lot about multi-factor authentication (MFA) not being the Holy Grail to prevent phishing attacks, including here:
- Many Ways To Hack MFA
- Innovative Way to Bypass MFA Using Microsoft WebView2 Is Familiar Nevertheless
- U.S. Government Says To Use Phishing-Resistant MFA
We also have an eBook, 12+ Ways to Hack Multi-Factor Authentication as well as several webinars on the subject including the latest: Hacks That Bypass Multi-Factor Authentication and How to Make Your MFA Solution Phishing Resistant.
Most MFA is Easily Phishable
Many people are shocked when we show them how easy it is to bypass or hack most MFA solutions. In the majority of cases, it’s as easy to do as phishing a password. Here’s a good example video demonstrating how easy it is to phish past most MFA solutions.
Use Phishing-Resistant MFA When You Can
So, our advice is to use PHISHING-RESISTANT MFA and not just ANY MFA, whenever possible. Actually, it’s not just our advice. The US government has been saying not to use easily phishable MFA at least since 2017. Presidential executive orders in 2021 and 2022 have again reinforced the idea that no one should be using easily phishable MFA.
Despite this, perhaps 90% to 95% of the MFA used by most people today is easily phishable. Well, the ultimate solution is to upgrade or move to phishing-resistant MFA when you can. KnowBe4’s Data-Driven Defense Evangelist, Roger A. Grimes, keeps an up-to-date list of every MFA solution and type he is aware of that is phishing-resistant. Use one of those phishing-resistant MFA solutions if you can.
But if you already have a phishable MFA solution, most of the time it is not easy to replace or change to a phishing resistant form. You have what you have. Or what you use is forced upon you by a vendor or service you want to do business with. Much of the time when you have phishable MFA you can’t easily upgrade or replace.
What to Do?
So, what’s a person or organization supposed to do if they have easily phishable MFA and can’t simply change it?
Education!
No matter what type of MFA solution you have or use, easily phishable or not, there are ways to hack and get around it. Nothing is unhackable, not even the strongest, most secure form of MFA. So, the solution is to educate yourself and all other stakeholders, especially end-users, about the following topics:
- How to correctly use the MFA solution
- Strengths and weaknesses of the MFA solution
- The common possible attacks for that type of MFA and how to detect and prevent
- What to do during rogue hacking attempts (i.e., defeat and report it)
- What MFA does and doesn’t prevent
For example, if your MFA solution is susceptible to Man-in-the-Middle attacks like shown here, make sure everyone using it that you manage is aware that they still have to pay attention to URL links sent to them to make sure they are legitimate. This may sound like common sense, but you’d be surprised how many end-users think that their MFA solution explicitly protects them against rogue phishing links, and that belief can be dangerous.
Be sure to tell your end-users what to do if they detect an attempt to bypass or hack their MFA solution. You’d be surprised how many users ignore the attack, but don’t report it. That can be dangerous to the organization is it could be undergoing a concerted spear phishing attack and if no one is telling IT.
Another example, if your organization uses push-based MFA, make sure that all users are explicitly trained not to approve authentication prompts for logons that they themselves are not actively involved in. You would think you would not need to teach end-users this, but you would be wrong. Some studies have shown up to 30% of end-users using push-based MFA will approve a logon prompt even when they are not actively logging in.
Never assume your end-users understand MFA as well as you do and will always react appropriately in the face of a hacking attack. Education is the key to reducing risk, no matter whether you use MFA or not, whether you use easily-phishable or phishing-resistant MFA. When in doubt, educate.
Lastly, pressure your organization or vendor, if they are forcing you to use easily phishable MFA to using phishing-resistant forms. That, too, takes education. Most organizations and vendors are not aware of how easy most of today’s MFA solutions can be phished and bypassed. Educate them. Pressure them. Do whatever you can to get to more phishing-resistant forms of MFA.