Hackers Are Learning to Beat MFA

In the cybersecurity world, MFA (multi-factor authentication), is one of our best tools to fight cyberattacks big and small. With it, a password isn’t enough: you also need an additional device or step in order to access an account. Unfortunately, hackers are starting to break through this mighty security feature, and it’s up to you to fight back.

Not all MFA methods are created equal. The most common is also the least secure: SMS codes. When you request to log into a site, you receive a unique code via text message. A slightly more secure form of MFA is device or app-based: you receive a code on a trusted device, or through a third-party authenticator app, and use that to confirm your identity.

The most secure form of MFA available right now is FIDO2, which utilizes biometric authentication for account access. This type of authentication uses your fingerprint or face scan, for example, to confirm your account, which makes it much more difficult to spoof. That said, FIDO2 is not widely available across accounts, so other MFA methods are important to use when available.

These methods, however, are susceptible to what is known as MFA prompt-bombing. A hacker will attempt to sign into your account and trigger an MFA request. You’ll see that appear as an SMS, a phone call, or however else you have your MFA set up. If you know you didn’t initiate the request yourself, you might think to ignore the message. However, prompt-bombers will continue sending requests your way, hoping you’ll accept it just to stop the requests from coming through.

As soon as you do, however, you let the hacker into your account, where they can add their own devices to your MFA registry.

Remember: until you accept the MFA request, hackers cannot break into your account. It’s a great reminder to never accept a strange MFA request. That goes for both SMS codes, as well as phone calls from “representatives” from the company, asking you to confirm your MFA code.

Photo by Towfiqu barbhuiya on Unsplash