6 min read

Yes, MFA Isn't Perfect. But That's Not a Reason for Your Company Not to Use It

Graham Cluley

October 08, 2019

Yes, MFA Isn't Perfect. But That's Not a Reason for Your Company Not to Use It

When computer users and businesses ask me for a single step they could take to dramatically enhance their security it's easy to answer: enable multi-factor authentication.

Multi-factor authentication (MFA) offers an additional layer of protection for accounts that means even if a criminal manages to phish, guess or crack your password, even if a data breach spills your login credentials, there's a very good chance your account won't be compromised.

The reason is simple: a username and password is no longer enough for a hacker to breach your account.  An account protected with MFA requires additional credentials - such as a time-based one-time passcode generated by a smartphone app.


Multi-factor authentication is a great way to improve your security from some of the most common attacks that are out there, but that's not to say it's perfect.

Sometimes the problems have occurred in the way MFA has been implemented.  For instance, in November 2018, users of MS Office 365 and Azure found themselves locked out of their cloud-based accounts after a goof at Microsoft.

MFA is supposed to keep out people who might have guessed or stolen your password. It’s not supposed to prevent *you* from accessing your account.

Thankfully such implementation failures are unusual and normally short-lived. 

What's perhaps more important to consider is that the use of multi-factor authentication doesn't mean there is no longer a way for hackers to breach your online accounts.

As ZDNet reports, last month the FBI sent a private security advisory to industry partners warning that hacking gangs are circumventing multi-factor authentication solutions.

The Private Industry Notification (PIN) which has since been leaked to the general public, shares a number of examples of organisations who have suffered at the hands of hackers who managed to bypass MFA security.

These include customers of banking institutions who have fallen victim to a SIM swapping attack which saw criminals being sent a one-time code via SMS to a phone under their own control.

Such attacks have seen customers' bank accounts drained, all because an attacker managed to trick a phone company's customer service department through social engineering.

As a result of this growing problem (sometimes known as a port-out scam or SIM hijacking), experts prefer to recommend multi-factor authentication that does not rely upon SMS.

But the problems don't end there.

For instance, in June at the Hack In The Box conference in Amsterdam, researchers demonstrated Muraena and NecroBrowser - two tools that work in tandem to phish users of their login credentials and bypass multi-factor authentication in real-time.

Earlier this year, security researcher Piotr Duszyński demonstrated a tool he had created called Modlishka, which through a man-in-the-middle attack grabbed content from the genuine website that it wished to impersonate – producing a perfect replica.

Not only could Modlishka steal usernames, passwords, and other sensitive information - it could also steal MFA codes.

And as all this data was entered on a server under the control of a criminal, it was simultaneously passed to the genuine site, making it appear to the victim that they had successful logged in as normal.

Such an attack could not only store sensitive data, but also - once authenticated, steal a session cookie to allow hackers to log into the accounts and hijack the accounts for their own purposes.

So, MFA is not perfect.  It can be circumvented.  But it's important to realise that the vast majority of attacks don't go to the much greater effort required to break past multi-factor authentication.

In the vast majority of attacks, a criminal who encounters an account protected by multi-factor authentication will simply move on to their next potential victim rather than try to bypass the security measure.

In short, they are more interested in hacking *someone* than hacking *you*.

The FBI itself emphasises in its advisory that MFA remains an essential defence for online accounts:

"Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks."

I cannot underline that last comment enough.  Multi-factor authentication is one of the simplest steps you can take to harden your security.

It would be an enormous mistake to think it is worthless just because it's not a perfect solution.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like