MFA Matters… But It Isn’t Enough On Its Own

Multi-factor authentication (MFA) has become the de facto standard for strengthening access controls, and for good reason. Microsoft research suggests that enabling MFA can block over 99% of automated credential-stuffing and phishing attacks. However, despite its strengths, MFA is not a silver bullet and can be bypassed.

The critical gap in MFA lies in the weakest link: weak, reused or compromised passwords. When an attacker bypasses or circumvents MFA, those same poor passwords become the attacker's key to your systems. This is why a layered approach to identity security must include both robust password hygiene and MFA on every login point.

The Benefits of MFA

MFA brings several benefits to the table. It provides an additional layer of protection against account takeover attacks, making it much harder for attackers to gain access to your systems. By requiring users to provide a second form of verification, such as a code sent to their phone or a biometric scan, MFA adds an extra layer of security that can help prevent unauthorized access.

Why Passwords Still Matter

Despite the benefits of MFA, passwords still play a critical role in identity security. If your password is weak, reused or already known to attackers, they're one step closer to breaching your perimeter. Overreliance on MFA can lull organizations into complacency around the most basic authentication factor: the password.

Layered defense depends on each layer holding its weight, and a password is the entry point for the MFA challenge. If that password is weak or compromised, it's like leaving a door open to your system. Users who adopt MFA without reinforcing password education often continue to pick weak or predictable passwords, undermining one of their strongest defenses.

Tactics Attackers Use To Bypass MFA

While no single control can stop every attack, pairing comprehensive password defenses with robust MFA on every critical system can create multiple hurdles for adversaries to overcome. Here are five tactics attackers use to bypass MFA:

  • SIM swapping: Attackers may trick users into transferring their phone number or SIM card to a new provider, which can be used to bypass MFA.
  • MFA prompt bombing: Attackers may overwhelm the system with too many MFA prompts, making it difficult for legitimate users to complete the login process.
  • Social engineering around help-desk procedures: Attackers may trick users or staff into approving fraudulent logins by pretending to be a trusted authority figure.
  • Predictable passwords: Attackers may guess weak or predictable passwords, which can bypass MFA and grant access to the system.
  • Phishing attacks: Attackers may use phishing emails or messages to trick users into revealing their login credentials.

Best Practices for Hardening Your Defenses

To create a resilient authentication strategy that will keep your organization and your end-users far safer, follow these best practices:

  • Treat passwords as the important security layer they are. Enforce policies that keep them long, unique, and uncompromised.
  • Add MFA as the critical second line of defense to robust password hygiene.
  • Incorporate these tactics into your cybersecurity strategy:
    • Implement strong password policies and educate users on their importance.
    • Use multi-factor authentication on every critical system, such as Windows logon, VPNs, remote desktop, cloud portals, and more.
    • Monitor user behavior and detect potential security threats.

Contact Us for Advice On MFA Or Password Security

Need advice on MFA or password security? Get in touch with us at [insert contact information]. Sponsored and written by Specops Software.