Security News > 2024 > January > Out with the old and in with the improved: MFA needs a revamp
With MFA in place, when a hacker gets a hold of your account credentials, they cannot fulfill the additional identification requirement, meaning their ability to breach the system is dead in the water.
We've seen lately a surprising number of high-profile social engineering attacks that result in MFA bypass.
An MFA bypass can be achieved through various strategies, all possible because of one key element: human error.
To circumvent the MFA barrier, cybercriminals will often send phishing emails to encourage the victim to approve the log in or even get them to send an MFA code directly to the hacker.
Flooding the victim with MFA codes as seen during MFA fatigue attacks can be as effective as performing a SIM swap attack on SMS-based MFA. A more advanced technique of bypassing MFA involves the hacker directing the victim to a fraudulent website that will prompt the user to log in on the fake site or the real site through a proxy controlled by the attacker.
Phishing-resistant MFA technology is already becoming more widely used and as the name suggests, it uses identification methods that are less susceptible to MFA phishing attacks.