Why Legacy MFA is DOA

Multi-Factor Authentication (MFA) has long been heralded as a cornerstone of secure digital practices. However, the traditional forms of MFA, now often referred to as “legacy MFA,” are increasingly seen as outdated and inadequate in the face of evolving cyber threats. This article explores why legacy MFA is considered Dead on Arrival (DOA) in today’s cybersecurity landscape.

The Evolution of Cyber Threats

The cyber threat landscape has dramatically evolved over the past few years. Cybercriminals have become more sophisticated, employing advanced tactics such as phishing, social engineering, and man-in-the-middle attacks to circumvent traditional security measures. Legacy MFA, which often relies on something you know (like a password) and something you have (like a text message code or authentication app), is no longer sufficient to thwart these advanced attacks. 90% of ransomware attacks occur using user credentials, and the vast majority of those now include a legacy MFA hack as well.

The Limitations of Legacy MFA

The overriding limitation to legacy MFA is the human in the middle. A human is given a code or an app to click to verify it’s them. But humans are easy to trick into doing that action (or giving the code away) to a trusted party. Not every human…but if you have 1000 employees I can get perhaps 10% to give up their code or tap an app to stop it from bugging me. But. Don’t need 10%, or even 1%. I need 0.1% and I am in. Can anyone guarantee to train their employees so well that not even 0.1% would fail the test? You know the answer already.

Roger Grimes (KnowB4) famously published the 11 ways all legacy MFA is compromised by bad actors today:

1. SMS-based man-in-the-middle attacks
2. Supply chain attacks
3. Compromised MFA authentication workflow bypass
4. Pass-the-cookie attacks
5. Server-side forgeries
6. Social Engineering
7. Stolen Phones
8. Human hand-over of SMS or other codes
9. Simple SMS text duplicate receive system
10. Stolen random number seeds
11. MFA fatigue attacks

USB keys also have serious issues which compromise their effectiveness:

1. Not secure or convenient
2. Easily hacked, easily stolen, easily left at home
3. Unsure who has possession at any time
4. Fake ones exist en masse
5. USB ports are the #1 security threat from rogue memory sticks with malware to rapid data theft
6. Open USB ports are not allowed for many government computer or most secure enterprises
7. USB keys are not allowed to be used by most USGOV agencies

And finally, tokens, such as codes which change every 20 seconds still have the human in the middle who can and will share a code with a bad actor unknowingly.

Legacy MFA methods, such as SMS-based authentication, are highly susceptible to phishing attacks. Cybercriminals can easily trick users into revealing their authentication codes through fake websites or emails. Once the code is obtained, attackers can gain access to the user’s account, rendering the MFA process ineffective.

Another significant vulnerability of SMS-based MFA is SIM swapping. In this type of attack, a cybercriminal convinces a mobile carrier to transfer the victim’s phone number to a new SIM card. Once the transfer is complete, the attacker receives all SMS messages intended for the victim, including authentication codes. This bypasses the MFA protection entirely.

As these well-known methods demonstrate, hackers easily gain access to accounts today knowing that a user will have legacy MFA that is now all too easy to get past.

The Rise of Next generation MFA Solutions

To address the shortcomings of legacy MFA, modern MFA solutions have emerged, leveraging advanced technologies and context-aware mechanisms to provide robust security.

Biometric authentication, such as fingerprint, facial recognition, and iris scans, offers a substantially higher level of security than traditional methods. Biometrics are unique to each individual and are difficult to replicate, making it much harder for attackers to bypass. Moreover, FIDO2 biometric devices keep the human out of the picture – meaning there is no code to hand over, no second app to click.

A wearable biometric authenticator guarantees that the wearer is the actual approved user. And in the case of a social engineering hack, the user would have no code to provide since a biometric device should ideally have no user readout. Nothing to hand over to a bad actor. And wearables are convenient and easy to use.

AI generated phishing attacks and MFA fatigue attacks do not thwart next generation MFA and only reinforce the need for immediate change.

With the rise of AI generated deepfakes, we are entering a world where that person you see and hear on Zoom or Teams may or may not be your actual boss. Next generation biometric MFA will become standard issue to be sure that the people on the call ARE who they say they are, and a wearable device locked to one’s fingerprint (for example) will be required to continue the conversation. Since image and voice will not be enough to guarantee identity.

The Future of MFA

The future of MFA lies in embracing these modern biometric solutions and moving away from outdated, vulnerable methods. Organizations must adopt a proactive approach to cybersecurity, implementing MFA solutions that are resilient against evolving threats. This involves not only upgrading technology but also educating users on the importance of robust authentication practices.

Next generation MFA is a critical component of the Zero Trust security model, which operates on the principle of “never trust, always verify.” In a Zero Trust architecture, continuous verification is required for all users, devices, and applications, ensuring that only authorized entities can access sensitive resources. By integrating next gen MFA into a Zero Trust framework, organizations can significantly enhance their security posture.

While security is paramount, user experience should not be overlooked. Next generation MFA solutions must strike a balance between robust security and user convenience. Biometric wearable authentication is an example of technology that provides high security without compromising user experience. As these technologies continue to evolve, they will become more seamless and user-friendly.

Conclusion

Legacy MFA is indeed DOA in the face of today’s sophisticated cyber threats. Every hour a major ransomware attack occurs by hacking legacy MFA. Bad actors see it no more than a minor (and fun to exploit) roadblock. The vulnerabilities inherent in traditional MFA methods necessitate a shift towards more advanced, resilient authentication solutions. By adopting next generation MFA technologies, organizations can better protect their digital assets, maintain user trust, and stay ahead of cybercriminals. The future of MFA is here, and it’s time to embrace it.

About the Author

Kevin Surace is Chair of Token, delivering the next generation of multi-factor authentication that is invulnerable to social engineering, malware, and tampering for organizations where breaches, data loss, and ransomware must be prevented. He is passionate about the power of AI to revolutionize businesses and drive innovation. With a track record of success in building billion-dollar ventures, he has harnessed his expertise as a speaker, consultant, and thought leader to help companies navigate the dynamic landscape of AI-driven transformation. Kevin can be reached online at LinkedIn or X and at our company website https://www.tokenring.com/.