![]() And this number will improve with better MFA. Still, a success rate of over 99% is no small feat. The attacker bombards the user with requests to allow access and hopes the intended victim gets tired of the racket or makes a mistake and pushes the coveted “Yes, that’s me” button. So, the numbers are slightly down, mainly because cybercriminals have started to adapt and are finding ways to bypass the weakest MFA methods.Īn MFA fatigue attack, aka MFA bombing or MFA spamming, is a social engineering strategy where attackers repeatedly trigger second-factor authentication requests. This year (2023), Microsoft’s Tom Burt blogged: “While deploying MFA is one of the easiest and most effective defenses organizations can deploy against attacks, reducing the risk of compromise by 99.2%, threat actors are increasingly taking advantage of “MFA fatigue” to bombard users with MFA notifications in the hope they will finally accept and provide access.” In 2019, Microsoft’s Alex Weinert wrote that, based on Microsoft's studies, your account is more than 99.9% less likely to be compromised if you use MFA. Next best after that is MFA that uses a code from an app on your phone, and the least good version of MFA uses a code sent over SMS.īut even that least good version provides a good chunk of security. If you aren’t ready to take that step yet, the next best form of MFA uses an app that prompts you with a notification on your phone. ![]() Security keys conforming to the FIDO U2F or FIDO2/WebAuthn standards are inherently resistant to reverse proxy and man-in-the-middle attacks that are reportedly on the rise right now. Please consider dong so, since they are worth the small investment and not nearly as intimidating as they may seem. When given the choice, the best form of MFA is a password and hardware key, but this means you’ll need to buy a hardware key. The takeaway here is that not every form of MFA is equally secure. As Amazon wrote in its announcement: “We recommend that everyone adopts some form of MFA, and additionally encourage customers to consider choosing forms of MFA that are phishing-resistant, such as security keys.” The last piece of that sentence, "the best that MFA has to offer", is important. Also not recommended, but you could even re-use your weak password on every site, as long as all those accounts were protected with the best that MFA has to offer. I would not recommend it, but writing down your password on a Post-It and pasting it on your monitor won't do an attacker any good if you have set up your MFA properly. Multi-factor authentication is so much more secure, and with that a lot more forgiving, than passwords alone. So we wholeheartedly agree with Amazon on this. Our regular readers will know that we feel that passwords alone are not adequate protection, especially not for your important accounts. Recently, Amazon announced that it will require all privileged Amazon Web Services (AWS) accounts to use multi-factor authentication (MFA), starting in mid-2024.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |