Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

The Silver Bullet of MFA Was Never Enough

There is no such thing as a silver bullet in cybersecurity. No, not even multifactor authentication.

Dave Lewis, Global Advisory CISO, 1Password

August 21, 2024

3 Min Read
Person enter site using credentials and patient complaints.
Source: Techa Tungateja via Alamy Stock Photo

COMMENTARY

The unfolding story of recent attacks on high-profile organizations is shaping up to be the cybersecurity equivalent of action movies. As a child, I stared in rapt attention at the screen as the hero fought valiantly to overcome the malice of the antagonist in the story. There would be trials and tribulations, but the protagonist would invariably find a way to overcome the adversity — much to the joy of the audience. 

Often that victory would come in the guise of an almost magical solution. In some cases, these proverbial silver bullets would make their appearance to bring an end to the vampires or werewolves. We were led to believe that silver bullets would solve our difficult situations.

The temptation to believe that silver bullets can solve our most difficult situations lives on in the world of modern cybersecurity. How many times have we heard declarations that “[insert name] technology” is dead!” and that some other solution is swooping in to solve all of the ills across the security landscape?

Multifactor authentication (MFA) has been cast in the role of a silver bullet this summer — but, unfortunately, there is no magical cure-all in cybersecurity.

What MFA Can't Do

The focus on MFA makes sense. The attacks on cloud-based data platforms that have dominated the news have been primarily credential-based, with hyperscaler Snowflake determining that compromised customer accounts didn't have MFA in place. MFA is a solid tool for reducing risks to an organization, and Snowflake's decision to launch features making MFA mandatory was wise. 

But MFA isn't enough, and it never was. Even with MFA, there is the potential for social engineering. I have personally received text messages purporting to come from the CEO of a company I was working for, claiming they had lost their phone and asking me to text an MFA token back to them so they could log in. While this example may seem laughable to those of us with a security background, it has been shown to work. 

MFA doesn't prevent attackers from setting up malicious Wi-Fi hotspots or using Domain Name System (DNS) spoofing to redirect users to a fake login page — two techniques for capturing MFA codes and session tokens. Used the coffee shop Wi-Fi lately? 

The third example I'll point to is SIM swapping, in which the attacker takes control of the user's phone number to intercept MFA codes sent via SMS. MFA is not always MFA: If your authentication code is sent to the same compromised device you're using to access an app, there's nothing "multiple" about it. SMS codes are a poor substitute for good security. 

Beyond MFA

In light of the scores of data breaches in the news of late, we need to be able to do even better. How do security teams improve their situation and reduce the risks to their organization? The Ron Popeil method of "set it and forget it" does little to improve matters from a security perspective. 

There are many steps that can be taken to protect an organization. Passkeys, for example, will allow users to log into their accounts without needing to remember or enter passwords. 

A second step is checking the security posture of the devices that are connecting to your organization's resources. Is that laptop connecting from a foreign country, for example, supposed to be doing so? Do you have anyone there who works for your organization? Is the laptop's software and operating system patched to current? 

Finally, passwords are the control that we often overlook in the enterprise. How are they managed? Are the passwords in use unique in their composition? Even with MFA in place, we're still stuck with passwords as part of the mix. They're not going anywhere soon. If your employees use weak, easy-to-remember passwords because they lack the right tools, your organization can be at risk. 

There Is No Silver Bullet

We all want to be the hero of our own stories. But the magical triumphs that capped my favorite childhood movies simply do not translate to the world of modern cybersecurity.

MFA is an important solution. It can certainly help. But it is by no means the silver bullet that will save the day. 

About the Author

Dave Lewis

Global Advisory CISO, 1Password, 1Password

Dave is the Global Advisory CISO at 1Password. He brings over 30 years of industry experience, extensively in IT security operations and management, at companies such as Akamai, IBM, Duo Security, Cisco, and AMD. He is also the founder of the security site Liquidmatrix Security Digest as well as host of the Liquidmatrix, Plaintext, and Chasing Entropy podcasts. Dave currently serves on the board of directors for BSides Las Vegas and the advisory board for the Black Hat Sector Security Conference. He co-founded the BSides Toronto conference and was a goon on the speaker operations team for DEF CON for over 13 years. He previously held a board position at (ISC)². For fun, Dave loves playing bass guitar, grilling, and spending quality time with his kids. He’s also a part owner of a whisky distillery and a soccer team.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights