Multi-factor authentication (MFA) has become one of the most recommended security obligations. It is now a cornerstone of most companies’ cybersecurity strategies, providing an additional layer of protection beyond traditional passwords that are often weak, recycled on multiple applications, sites, or systems, and regularly compromised.
Yet, as the adoption of the AMF has increased, so does the sophistication of attacks to circumvent it. Threat actors are constantly developing new methods to circumvent these security measures, which pose major risks to the organisations they are designed to protect.
Our team is witnessing the consequences of the commercial cyber attacks that have been carried out in their wake almost every day. It can take countless hours and thousands of dollars – sometimes millions – to recover completely. Unfortunately, we are witnessing an increase in requests for allegations from organisations that they were protected by MFA protocols before undergoing a bypass attack.
With this in mind, it is important that companies understand both the strengths and vulnerabilities of the AMF in the current cybersecurity landscape.
The AMF is great, but not perfect
The AMF enhances security by requiring users to provide multiple forms of verification – such as PIN, single access code delivered to a mobile device, or biometric data – before granting access. This approach significantly limits unauthorised access, but it is not invulnerable to the exploitation of threat actors.
A widespread method employing attackers is the "earlier in the middle" phishing attack (AitM). In these scenarios, threat actors have set up fraudulent intermediate sites to intercept communications between the victim and the legitimate service. They deploy fake login pages that reflect the real ones, capturing both user identifiers, session cookies and sometimes the user's MFA tokens. Hackers even sell ready-made kits to allow these attacks, like this one that can bypass two-factor authentication on Google, Microsoft, and Yahoo accounts.
Une autre tactique qui gagne du terrain est la fatigue de l’AMF ou les bombardements de l’AMF. Les attaquants bombardent la cible avec des notifications push répétées du Ministère de l’enfance, dans l’espoir d’user pour approuver l’une des demandes par frustration ou par confusion. Cette méthode cible l’élément de sécurité de faiblesse humaine, qui est en fin de compte la plus grande et la moins contrôlable surface d’attaque pour toute organisation. La banque d’attaques de fatigue aura la probabilité qu’un utilisateur submergé puisse accorder par inadvertance l’accès. C’est un risque pour chaque organisation, quelle que soit sa taille.
Pass keys are making progress, but with limitations
In response to vulnerabilities associated with traditional AMF methods, the industry explored other authentication mechanisms. Passkeys, which uses the user’s biometric data to submit encryption information often stored in the user’s device, has emerged as a promising solution. Companies like Microsoft, Google, and Apple argue for access keys as a safer and more user-friendly password-words. They offer more sophisticated security, operating as a "locking and a key". A website provides the "locking" (public key), and the user has a "private key" on his device. Using this “public key cryptography”, the pass keys aim to eliminate the risks associated with password reuse and phishing attacks.
But the passheads are not without challenge either. Trust in device-based identifiers means that if a device is lost, stolen or compromised, the access keys stored on it could be at risk. In addition, sophisticated attackers can use advanced techniques, such as deepfake technology, to usurp biometric data. The transition to access keys also requires widespread adoption between platforms and services, which is an ongoing process.
Phip-resistant AMF solutions
Given the changing threat landscape, flash-resistant AMF solutions are more imperative. These methods are designed to withstand phishing attacks by connecting authentication to specific devices and ensuring that identifiers cannot be easily intercepted or replicated. Some key configurations may land in this territory.
Une stratégie de défense à plusieurs niveaux
Although the implementation of a robust and hook-resistant MFA is crucial, it should only be part of a multi-level cybersecurity strategy. At a minimum, a more comprehensive approach should include:
Planification des interventions en cas d’incident : L’établissement et la mise à jour régulière d’un plan d’intervention en cas d’incident contribuent à aider les organisations à réagir efficacement dans des situations de stress élevé et à réduire au minimum les dommages potentiels.
Continuous user education: Regular training programs to educate employees about new phishing techniques and social engineering tactics – and how to recognize them – in order to reduce the likelihood of successful attacks.
Advanced threat detection: Sophisticated monitoring tools can detect strange behaviors and potential real-time intrusions, so the organization can react quickly to emerging threats.
Regular safety assessments: Frequent safety audits and penetration tests help to identify and address vulnerabilities before they can be exploited by bad actors.
active killer Blog et Ressources combat entrainement Equipment and equipment Féménicide jiu jiutsu mma national security Occupational Health and Safety (SST) Physical agression Podcast reviews Self-Defence and Personal Security Survival and preparation training violence conjugale
MFA remains an essential element of cybersecurity, but it is not a dressing. A resilient approach to cybersecurity requires understanding the limitations of each strategy and implementing a multi-level adaptive security position. This approach goes a long way towards safeguarding your business in a high-risk digital world.
Share this story
English 
French