Indevtech Blog

Indevtech has been serving the Honolulu area since 2001, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Multi-Factor Authentication isn’t Infallible, But It Shouldn’t Be Abandoned

Multi-Factor Authentication isn’t Infallible, But It Shouldn’t Be Abandoned

We haven’t been shy about pushing for multi-factor authentication, AKA MFA, and there’s a reason for that: if implemented correctly, it can help prevent many cyberthreats. Having said that, cybercriminals have managed to find a way to undermine MFA. Let’s consider how they’ve managed to do this.

First, let’s examine why we’ve trusted MFA up to this point:

What Makes Multi-Factor Authentication as Effective as It Is?

Phishing—or the act of manipulating the user, instead of the computer system, in order to gain access to data—has become a hugely common tactic, mainly because it works. Hackers are also still able to guess weak passwords and gain access. MFA adds an additional layer of security by requiring an additional proof of identity. Without this credential—typically something other than a password that’s harder to replicate—a hacker theoretically can’t get in.

Unfortunately, this is no longer always the case.

Hackers Have Figured Out Ways to Work Around MFA

Microsoft has observed a few recent attacks that demonstrate that hackers can in fact bypass MFA protocols that businesses put in place. The term bypass is important. It isn’t that hackers have cracked MFA, they’ve just figured out how to get around it.

It’s like driving through a city to find that your normal route is under construction, so traffic has slowed to a crawl. Sure, you could simply wait it out and hope to get through in a reasonable amount of time, or you could find another route.

Most hackers use something called an adversary-in-the-middle attack. The hacker sets up a proxy server between their target and the service they want the credentials for. By phishing their target, the hacker is able to steal both their password and the session cookie. This way, the user accesses their account as normal, with no knowledge that it's been undermined, while the hacker gets what they want.

Hackers Have Used Other Methods, Too

MFA can be worked around in other ways, as well. MFA systems that rely on text messages or emails with single-use codes have little defense against a user being convinced to provide these codes as they are generated. Trojans can be used to spy on users, while other means can take over the devices used to actually authenticate the involved systems. Like many other forms of cybersecurity, it really comes down to how vigilant the user is.

So, How Do You Keep Your Business Systems Secure?

In our humble (expert, but still humble) opinion, the best cybersecurity strategy is one that relies on both the right technical security system and the capabilities of the people using it, working in tandem to better secure the protected assets. This is why we still recommend, even encourage, businesses to implement MFA despite these security hiccups. Our one caveat is that these businesses also need to educate their teams as to their importance.

We can help you do both, implementing enterprise-grade security while also providing comprehensive cybersecurity training and testing to ensure your business is as prepared as possible. Reach out to us today to learn more about how we can assist your business by calling (808) 529-4605.

Customer Login


Latest Blog

Having tools that help enhance your ability to support your customers is rarer than you may expect. One of the best tools a lot of businesses employ is Customer Relationship Management (CRM). The CRM system can transform how a business operates, but to make the most of it, you’ll need to employ some strategies. 

Contact Us

Learn more about what Indevtech can do for your business.

Indevtech Incorporated
Pacific Guardian Center, Mauka Tower
737 Bishop Street, Suite 2070
Honolulu, Hawaii 96813-3205

indev badge footer