Multi-factor authentication (MFA) has become table stakes for both enterprise and consumer security, but it’s not the perfect solution.

MFA adds a layer of security by requiring a user to verify their identify through a second log-in mechanism. A typical example would be using your mobile banking app to confirm your identity when attempting to sign in with your browser, and or a webmail provider like Gmail sending you a code via SMS to your smartphone to verify that it’s you who’s trying to login or make changes to your account.

But adding this extra layer doesn’t make for foolproof security.

MFA can lead to complacency

Because some many business applications and digital services for consumers come with MFA built in, organizations may begin to believer that they don’t need additional security, and it’s easier for users to forget other security best practices.

Not all MFA solutions are created equal, either; some are still vulnerable to social engineering such as phishing attacks. Businesses need to look at MFA as more than a box they tick off to satisfy compliance and cyber insurance obligations and have a clear understanding what MFA can protect and where it can fail.

Common MFA pitfalls

Hackers can get around MFA by exploiting centralization and session cookies. While passkeys can make MFA phishing-resistant, their centralized nature can become a vector for hackers as they are used to synchronize all user devices they log into. Hackers can circumvent this centralization through a vulnerable second factor authenticator and the passkey’s dependence on a platform’s security despite using public key cryptography.

Session cookies that are stored on a user’s device after authentication are also vulnerable because they allow a user to access resources without re-authenticating themselves each time – hackers capture those session cookies to attain access to the user’s account without needing to go through MFA through what is called an adversary-in-the-middle (AiTM) attack.

The problem with MFA is that although it is phish-resistant, it is not phish-proof because due to AiTM attacks and because they rely on other phishable vectors such as SMS codes, a one-time password (OTP) or other secondary authentication methods. Lost devices can compound the problem. The life cycle of authentication opens opportunities for hackers if the second layers of authentication are vulnerable.  

Going forward, MFA and passwords need to be bolstered by embracing a Zero Trust approach to security, reducing the opportunities for human error and phishing. Most of all, organizations must remember that MFA isn’t flawless, and it doesn’t negate the need for other security tools and best practices around access management.