In discussions about cybersecurity, you tend to hear the phrase “Multi-Factor Authentication (MFA) stops 99% of all attacks" quite a lot. However, the assertion that MFA can thwart nearly all attacks oversimplifies the situation at best and misleads at worst.

Indeed, while MFA has become the primary cybersecurity solution in the world of business, not all MFA solutions are created equal, and many are as susceptible to phishing and social engineering attacks as traditional passwords – so why do businesses continue to invest in them?

One explanation could be that business software packages, such as Google Workspace or Microsoft 365, come equipped with built-in two-factor authentication. Consequently, organisations might perceive investing in an additional solution as a superfluous cost.

Another factor is that many cyber insurers now insist that organisations implement MFA during the underwriting stage. Therefore, IT decision-makers might view MFA as a compliance checkbox item without thoroughly gauging the distinction between robust and weak MFA solutions.

Regardless of the reasons, it's obvious that many organisations are embracing MFA without dissecting the effectiveness of their chosen solution and its aptitude for thwarting specific attacks.

Therefore, it's time that someone outlined some of the inherent weaknesses that businesses may have missed when investing in some MFA solutions.

1.  Vulnerabilities of Second-Factor Authenticators

Most MFA solutions operate on the principle that even if a user's password is compromised, accessing the account necessitates bypassing a second layer of authentication, such as an SMS code, One Time Password (OTP), or approving a push notification.

While this approach appears secure initially, these secondary authentication layers ironically offer hackers additional opportunities for attack. For instance, OTPs can be exploited by "on the fly" phishing attacks, while SMS authenticators are vulnerable to 'smishing'.

Additionally, hackers have found ways to commandeer authenticating notifications directly from the source, and the ‘human element’ of the identification lifecycle is commonly exploited to defeat push notifications through prompt bombing.

These vulnerabilities, masked by a façade of an additional layer of security, mean that tech and cyber decision-makers should reassess the genuine effectiveness of their adopted security solutions.

2. MFAs are vulnerable, due to centralisation, even those with passkeys

What’s more, 1st generation MFA solutions, which are based on OTP, QR-code, and Push, can be bypassed by hackers. This vulnerability arises due to session cookies and centralisation.

During authentication, session cookies store information in the user's device browser, allowing access without constant re-authentication when interacting with the service provider. Hackers then exploit this through Adversary-in-the-Middle (AiTM) attacks, capturing authenticated session cookies on a proxy server to infiltrate user accounts without any authentication.

Furthermore, recent breaches, like the Okta incident, involved the theft of session cookies from a support case management system, which was first commpromsied via stolen credentials,  and thereafter was used to compromise customer accounts because centralised troubleshooting data in the wrong hands can result in catastropic consequences. .

Moreover, passkeys aim to synchronise across all user devices for convenience, but their dependence on centralisation exposes vulnerabilities. Despite using public key cryptography, the fact that passkeys' security hinges on the platform's (Google, Apple, Microsoft, etc.) security makes businesses’ security as susceptible as a user's account credentials.

With this in mind, it’s worth remembering an old Basque proverb that says, “A thread usually breaks where it is thinnest”.

3. Phish-resistant, but not phish-proof

Even the highest security level offered by "phish-resistant" MFA solutions doesn't guarantee being "phish-proof." Although these solutions resist phishing attempts to a certain extent, they still depend on phishable factors during their implementation or recovery lifecycle, exposing vulnerabilities.

Many MFA solutions face a significant drawback, and this issue is especially relevant in the UK. Studies reveal that 83% of British organisations fell victim to a phishing attack last year, resulting in an average loss of £245,000 per business per attack.

This is because phishing techniques exploit various MFA solutions during the process of adding new users or devices to an account or when recovering a lost or damaged device.

For example, imagine that your colleague ‘Larry from accounts’ has misplaced the device with his registered passkey on or has lost his FIDO2 security key. To recover his account, he has to reidentify himself as Larry, but he has to use vulnerable identification factors such as SMS, OTP, or push notifications to do so.

Alternatively, Larry may not realise that the same phishable factors such as SMS, OTP, push or passwords were used by someone else to add another FIDO2 security key to his account without his knowledge.

Distinguishing between phish-resistant and phish-proof is essential, as very few MFA solutions can genuinely claim to be the latter. Trustworthy phish-proof solutions secure the entire user identity life cycle, from registration to account termination, making it immune to even the most sophisticated and complex phishing attacks.

The Next Generation of MFA

I’m aware that this sounds like a very harsh critique of MFA, but I’m constantly shocked by the implementation of ‘bad MFA’ solutions when there is such a thing as ‘good MFA. Fortunately, better solutions are available to businesses that are serious about their cybersecurity.

A new generation of MFA solutions addresses all these weaknesses by eliminating vulnerabilities and phishable factors, ensuring robust authentication throughout the identity lifecycle. These innovative solutions transcend password reliance, embracing Zero Trust Architecture (ZTA) technology rooted in principles like transitive trust, identity proofing, and adopting the W3C Web Authentication Standard.

These new principles tackle the fundamental issues behind data breaches and eliminate the threat of human error, much to the relief of ‘Larry from accounts’. It’s time for the cybersecurity industry – and the business world – to acknowledge that fully embracing zero-trust principles is imperative.

Traditional MFA methods that rely on OTPs, push notifications, and QR codes share inherent flaws with password-based cybersecurity technology and must be consigned to history. Embracing zero trust principles signifies a path toward a more secure and efficient future.

Al Lakhani, CEO of IDEE, is a recognised cyber security expert, digital identity crusader, inventor, entrepreneur, & university lecturer.