The Silver Bullet of MFA Was Never Enough

COMMENTARY

The unfolding story of recent attacks on high-profile organizations is shaping up to be the cybersecurity equivalent of action movies. As a child, I stared in rapt attention at the screen as the hero fought valiantly to overcome the malice of the antagonist in the story. There would be trials and tribulations, but the protagonist would invariably find a way to overcome the adversity — much to the joy of the audience. 

Often that victory would come in the guise of an almost magical solution. In some cases, these proverbial silver bullets would make their appearance to bring an end to the vampires or werewolves. We were led to believe that silver bullets would solve our difficult situations.

The temptation to believe that silver bullets can solve our most difficult situations lives on in the world of modern cybersecurity. How many times have we heard declarations that “[insert name] technology” is dead!” and that some other solution is swooping in to solve all of the ills across the security landscape?

Multifactor authentication (MFA) has been cast in the role of a silver bullet this summer — but, unfortunately, there is no magical cure-all in cybersecurity.

What MFA Can't Do

The focus on MFA makes sense. The attacks on cloud-based data platforms that have dominated the news have been primarily credential-based, with hyperscaler Snowflake determining that compromised customer accounts didn't have MFA in place. MFA is a solid tool for reducing risks to an organization, and Snowflake's decision to launch features making MFA mandatory was wise. 

But MFA isn't enough, and it never was. Even with MFA, there is the potential for social engineering. I have personally received text messages purporting to come from the CEO of a company I was working for, claiming they had lost their phone and asking me to text an MFA token back to them so they could log in. While this example may seem laughable to those of us with a security background, it has been shown to work. 

MFA doesn't prevent attackers from setting up malicious Wi-Fi hotspots or using Domain Name System (DNS) spoofing to redirect users to a fake login page — two techniques for capturing MFA codes and session tokens. Used the coffee shop Wi-Fi lately? 

The third example I'll point to is SIM swapping, in which the attacker takes control of the user's phone number to intercept MFA codes sent via SMS. MFA is not always MFA: If your authentication code is sent to the same compromised device you're using to access an app, there's nothing "multiple" about it. SMS codes are a poor substitute for good security. 

Beyond MFA

In light of the scores of data breaches in the news of late, we need to be able to do even better. How do security teams improve their situation and reduce the risks to their organization? The Ron Popeil method of "set it and forget it" does little to improve matters from a security perspective. 

There are many steps that can be taken to protect an organization. Passkeys, for example, will allow users to log into their accounts without needing to remember or enter passwords. 

A second step is checking the security posture of the devices that are connecting to your organization's resources. Is that laptop connecting from a foreign country, for example, supposed to be doing so? Do you have anyone there who works for your organization? Is the laptop's software and operating system patched to current? 

Finally, passwords are the control that we often overlook in the enterprise. How are they managed? Are the passwords in use unique in their composition? Even with MFA in place, we're still stuck with passwords as part of the mix. They're not going anywhere soon. If your employees use weak, easy-to-remember passwords because they lack the right tools, your organization can be at risk. 

There Is No Silver Bullet

We all want to be the hero of our own stories. But the magical triumphs that capped my favorite childhood movies simply do not translate to the world of modern cybersecurity.

MFA is an important solution. It can certainly help. But it is by no means the silver bullet that will save the day.