Home / MFA is good, but not good enough

MFA is good, but not good enough

Hackers attempt to log in to our online accounts daily by the hundreds.

The extra protection layer provided by MFA to the sign-in process dramatically reduces the number of successful attacks. While we are relieved that MFA is doing a good job of keeping our online accounts safe, we need to continue to advise our users to be vigilant – check before you click.  

Not all MFA factors are created equal. Some are stronger than others. Hardware keys like Yubikey are the most phishing-resistant authentication factors. To begin with, they don’t store any session cookies and require the user to press a physical button on the physical key to complete authentication.

There are methods for bypassing MFA (e.g., SMS-based man-in-the-middle (SIM swaps are very easy to do), attacks on soft tokens, passing the cookie). For example, here is an article about an active phishing campaign underway [*] that uses Teamviewer and fake support chat to bypass MFA. 

[*] https://www.bleepingcomputer.com/news/security/attackers-bypass-coinbase-and-metamask-2fa-via-teamviewer-fake-support-chat/