SecureAuth Named a Leader in KuppingerCole Leadership Compass Report for Customer Identity and Access Management

Hackable Versus Un-Hackable MFA

Dr. Abdulrahman Kaitoua
February 24, 2020

Get the latest from the SecureAuth Blog

“Just when you thought it was safe to go back in the water” was the headline for the movie poster heralding Jaws 2 back in 1978. It is also an axiom used whenever you think you are safe but discover you aren’t. That is exactly where CISOs and their IT Security staff are now finding themselves with respect to their Multifactor Authentication (MFA) strategy.

12 Ways To Hack MFA

Yes, you read that correctly. SecureWorld recently published an article titled “12 Ways to Hack Multi-Factor Authentication” and reported:

“Kevin Mitnick is KnowBe4’s Chief Hacking Officer. And when he posted a brief YouTube video showing him hacking his way through multi-factor authentication (MFA), the marketing and PR department got blown up with questions, phone calls, and interview requests.

That was an eye-opening moment for Roger Grimes, who calls himself KnowBe4’s data-driven defense evangelist.

“At that time, most of my friends in information security even thought MFA was hard to hack,” Grimes says. “I can hack any MFA solution at least five or six different ways. And right now I’m writing my latest book on the topic, and it looks like I’ll be able to document close to 50 ways to defeat MFA.””

You can actually see the entire presentation and demonstration at the SecureWorld Web Conference. So, this begs the question of will it ever be safe to go back into the MFA “water” again?

Can MFA Be Un-Hackable?

The short answer is yes. The longer answer depends on if you use traditional MFA then you will need to add more drag (i.e. 2, 3 or N level authorization) to create so many hurdles that cybercriminals can’t possibly crack the code consistently through that many levels of authentication.  Unfortunately, this also increases the amount of time every one of your employees have to take to log into their everyday systems resulting is massive amounts of lost productivity and increased user frustration. Not to mention that they tend to forget things and still call the help desk for support.

Fortunately, the new generation of authentication solutions leverage Artificial Intelligence and Machine Learning (AIML) as well as biometrics to change the game. These new forms of MFA aren’t dependent on data that can be gleaned from social engineering techniques. As pointed in a Forbes article titled “FBI Issues Surprise New Cyber Attack Warning: Multi-Factor Authentication Is Being Defeated”, the following recommendation is made:

“But according to the FBI, this use of secondary tokens or one-time codes to back-up usernames and passwords still isn’t enough. Unless companies employ “biometrics or behavioral information—such as time of day, geolocation, or IP address,” there is a risk that an attack can either trick a user into disclosing a multi-factor authentication code or use technical interception to create one for themselves.”

While biometrics may not be as safe either, it turns out that behavioral-based authentication can deliver the immutable identity you desire.

Continuous Behavioral Authentication Is Un-Hackable

Acceptto is one of the new generation authentication vendors delivering on the promise of an immutable identity. Being the first to deliver continuous behavioral authentications sets the bar pretty high for cyber criminals.

Acceptto’s eGuardian engine continuously creates, and monitors user behavior profiles based on the user interaction with the It’sMe authenticator. Every time an activity occurs, actionable intelligence is gathered and used to optimize the user profile. eGuardian is capable of autonomously and continually learning new policies and adapting existing ones. While policies can still be manually defined and contribute to the computation, our Biobehavioral AIML approach automatically finds the optimal policy for each transaction. eGuardian leverages a mixture of AI & ML, expert systems and SMEs to classify, detect, and model behavior, and assign real-time risk scores to continuously validate your identity prior to, during and post-authentication.

Download the Intellyx’s whitepaper titled  App Authentication Evolves in a World of Compromised Credentials today and then check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy registering for a free demo today.


Related Stories

Pin It on Pinterest

Share This