Your eight-character password can be cracked in about eight hours, using brute force attacks — even if you add in numbers, mix up the cases and throw in a special character or three. Odds are high that eight-hour window will soon be even shorter. To combat this, many companies added multifactor authentication (MFA) into their process to keep their data, applications and systems safe. According to a Microsoft study, MFA was the most adopted security tool since the beginning of the pandemic. But does this really work at a corporate scale?

Multifactor Authentication Under Attack

Not surprisingly, threat actors now target those security measures. However, there’s also good news. A recovery phone number, a common MFA measure, stopped 100% of automated bot attacks and 99% of bulk phishing attacks. However, the multifactor authentication method prevented only 70% of targeted attacks.

Because you can’t prevent issues you are unaware of, you need to stay informed about how threat actors are currently launching MFA attacks. The FBI pinpointed four types of attacks designed to get around MFA tech and processes:

SIM swapping – Multifactor authentication means that the threat actors need physical access to a device in most cases. So, attackers turned to SIM switching. They switch the employee’s physical SIM card to a phone they have physical access to, or they create a fake SIM card. This allows them to access the PIN code or other personal key sent to the employee.

Technical loopholes – Other threat actors change the MFA to accept false PIN numbers. To do this, they trick the MFA system into thinking the attacker entered the correct PIN. While this type of attack can be more challenging to accomplish, it can be very effective when done correctly.

Social engineering – Multifactor authentication often relies on the employee being able to verify themselves by inputting personal details. That means threat actors are now turning to other ways to get those. Attackers might call telecommunications representatives to provide information that allows MFAs to be successfully completed.

Phishing – Threat actors also use phishing schemes to convince employees to provide them with personal details. By sending links to fake websites, threat actors collect the data the person enters, and then use that to complete the MFA process. This kind of attack often mentions current events or trends to increase the likelihood of a user falling victim.

Cybersecurity Tips for Remote Workers

With the increase in remote working and the higher security risk that comes with it, many employers added MFA to reduce password breaches. However, simply adding multifactor authentication — especially with remote workers — doesn’t decrease or remove the risk of password theft. Because remote workers are often logging in from personal devices and on unsecured networks, the likelihood that someone can bypass MFA increases.

Does MFA keep your employees safe from password theft? Short answer: Not really. The longer version of that answer is that you can take several steps to improve the effectiveness of MFA with remote security.

Here are 5 ways to keep your employees’ personal details safe while they work at home:

Educate employees on current attack strategies used to get around MFA. Keep your employees up to date on current strategies used by threat actors, such as the recent increase in vishing, which is phishing through phone calls instead of emails. The uptick in remote work has also led to threat actors using Zoom bombing for numerous purposes, including gaining details to use for other attacks, such as phishing. Be sure to also educate employees about social media phishing. Remote work means that pictures from a home office can share details that can be used in an attack.

Use a zero trust approach. MFA can be a part of an overall zero trust approach. Many entities use MFA as the cornerstone of digital defense. However, with zero trust, businesses increase their overall safety by checking for every device and person accessing data, apps or the network. Zero trust also allows companies to more easily scale both users and apps without a major increase in admin costs.

Consider using biometric or behavior-based multifactor authentication. Because it’s more challenging to breach MFA using these, they are much more secure than confirming ID through text or email. While many people think of active biometrics first, such as fingerprints and facial recognition, passive and behavioral biometrics offer a higher level of security. Behavioral biometrics measure the typical patterns of a user, such as pauses in typing, keyboard pressure and mouse movements. Passive biometrics uses artificial intelligence to spot when a person or a machine is attempting to mimic the user’s patterns.

Have remote employees use a Voice over Internet Protocol (VoIP) phone for MFA. Instead of relying on a physical device and SIM card, you can require employees to create a phone number tied to an email instead of using a physical device for multifactor authentication. Employees can then protect that VoIP phone number with a strong password, which provides extra protection against a targeted MFA attack. This method also reduces the likelihood of a social engineering attack.

Use a password manager. Require employees to set up a 25-character password using a password manager. Because passwords of this length are very challenging to guess, it’s even safer than MFA through requiring a password manager. By reducing the number of passwords employees set up and enter, you also reduce the risk of attacks, especially through social engineering and phishing.

Beyond Multifactor Authentication

The risk of not having MFA is still large. You just need to think about more MFA cybersecurity on top of that, too. While companies should use MFA for remote work, the strategy should be part of an overall plan rather than the cornerstone. By addressing weaknesses in multifactor authentication before attackers can exploit them and working to educate employees, you can decrease the likelihood of stolen passwords for remote employees as well as those working in the office.

More from Mobile Security

Juice jacking: Is it a real issue or media hype?

4 min read - You get off a flight and realize your phone is almost out of battery, which will make getting an Uber at your destination a bit challenging. Then you see it — a public charging station at the next gate like a pot of gold at the end of the rainbow. As you run rom-com style to the USB port, you may briefly wonder if it’s actually safe from a cybersecurity perspective to plug in your phone. The answer is technically…

Third-party app stores could be a red flag for iOS security

4 min read - Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

A view into Web(View) attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today