Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    So, Your MFA is Phishable, What To Do Next

    KB4-CON-RogerWe’ve written a lot about multi-factor authentication (MFA) not being the Holy Grail to prevent phishing attacks, including here:

    We also have an eBook, 12+ Ways to Hack Multi-Factor Authentication as well as several webinars on the subject including the latest: Hacks That Bypass Multi-Factor Authentication and How to Make Your MFA Solution Phishing Resistant.

    Most MFA is Easily Phishable

    Many people are shocked when we show them how easy it is to bypass or hack most MFA solutions. In the majority of cases, it’s as easy to do as phishing a password. Here’s a good example video demonstrating how easy it is to phish past most MFA solutions.

    Use Phishing-Resistant MFA When You Can

    So, our advice is to use PHISHING-RESISTANT MFA and not just ANY MFA, whenever possible. Actually, it’s not just our advice. The US government has been saying not to use easily phishable MFA at least since 2017. Presidential executive orders in 2021 and 2022 have again reinforced the idea that no one should be using easily phishable MFA.

    Despite this, perhaps 90% to 95% of the MFA used by most people today is easily phishable. Well, the ultimate solution is to upgrade or move to phishing-resistant MFA when you can. KnowBe4’s Data-Driven Defense Evangelist, Roger A. Grimes, keeps an up-to-date list of every MFA solution and type he is aware of that is phishing-resistant. Use one of those phishing-resistant MFA solutions if you can.

    But if you already have a phishable MFA solution, most of the time it is not easy to replace or change to a phishing resistant form. You have what you have. Or what you use is forced upon you by a vendor or service you want to do business with. Much of the time when you have phishable MFA you can’t easily upgrade or replace.

    What to Do?

    So, what’s a person or organization supposed to do if they have easily phishable MFA and can’t simply change it?

    Education!

    No matter what type of MFA solution you have or use, easily phishable or not, there are ways to hack and get around it. Nothing is unhackable, not even the strongest, most secure form of MFA. So, the solution is to educate yourself and all other stakeholders, especially end-users, about the following topics:

    • How to correctly use the MFA solution
    • Strengths and weaknesses of the MFA solution
    • The common possible attacks for that type of MFA and how to detect and prevent
    • What to do during rogue hacking attempts (i.e., defeat and report it)
    • What MFA does and doesn’t prevent

    For example, if your MFA solution is susceptible to Man-in-the-Middle attacks like shown here, make sure everyone using it that you manage is aware that they still have to pay attention to URL links sent to them to make sure they are legitimate. This may sound like common sense, but you’d be surprised how many end-users think that their MFA solution explicitly protects them against rogue phishing links, and that belief can be dangerous.

    Be sure to tell your end-users what to do if they detect an attempt to bypass or hack their MFA solution. You’d be surprised how many users ignore the attack, but don’t report it. That can be dangerous to the organization is it could be undergoing a concerted spear phishing attack and if no one is telling IT.

    Another example, if your organization uses push-based MFA, make sure that all users are explicitly trained not to approve authentication prompts for logons that they themselves are not actively involved in. You would think you would not need to teach end-users this, but you would be wrong. Some studies have shown up to 30% of end-users using push-based MFA will approve a logon prompt even when they are not actively logging in.

    Never assume your end-users understand MFA as well as you do and will always react appropriately in the face of a hacking attack. Education is the key to reducing risk, no matter whether you use MFA or not, whether you use easily-phishable or phishing-resistant MFA. When in doubt, educate.

    Lastly, pressure your organization or vendor, if they are forcing you to use easily phishable MFA to using phishing-resistant forms. That, too, takes education. Most organizations and vendors are not aware of how easy most of today’s MFA solutions can be phished and bypassed. Educate them. Pressure them. Do whatever you can to get to more phishing-resistant forms of MFA.

     

    Return To KnowBe4 Security Blog

    12+ Ways to Hack Multi-Factor Authentication eBook

    All multi-factor authentication (MFA) mechanisms can be compromised, and in some cases, it's as simple as sending a traditional phishing email. Want to know how to defend against MFA hacks? This eBook covers over a dozen different ways to hack various types of MFA and how to defend against those attacks. 

    12 Ways MFA EBookYou will learn more about:

    • Two-factor authentication basics
    • How to hack two-factor authentication
    • How to best protect your organization from cybercriminals

    Get the eBook

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://info.knowbe4.com/12-way-to-hack-two-factor-authentication

    Topics: Phishing, Password Security, MFA

    Roger Grimes

    ABOUT ROGER GRIMES

    Roger A. Grimes is Data-Driven Defense Evangelist at KnowBe4. He is a 30-year computer security professional, author of 13 books and over 1,200 national magazine articles. He frequently consults with international organizations of all sizes and many of the world’s militaries. Grimes regularly presents at national computer security conferences, and is known for his often contrarian, fact-filled viewpoints.

    Read more from Roger »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews