4 Dangers of Still Using Outdated MFA Methods


Many companies still use outdated MFA methods, posing a serious risk to information security.Although multi-factor authentication is the most effective way to strengthen the security of private data; there are still many companies that do not give it the attention it deserves.

Multi-factor authentication is one of the most effective ways to provide security for business information and technical infrastructures. However, they don’t all work the same way and there are 4 major dangers of continuing to use outdated MFA methods.

Dangers of using outdated MFA methods

In today’s cybersecurity landscape, technology must evolve rapidly; which leaves many MFAs in history and with mediocre security. Many malicious actors use different very effective techniques to bypass these security methods, which are no longer useful for anything.

Mismanaged and stolen passwords

The vast majority of traditional MFA methods have passwords, which can be compromised quite easily. Many people end up forgetting their passwords, to avoid it, they try to use the same ones for everything. Continuing with this point, we try to create easy-to-remember passwords, which are also the most insecure. Additionally, they store their passwords in a document or application without any protection for easy reference, never using a password manager, for example.

Even if a strong password is created and never shared in any way; a keylogger or screen-scraper malware, can collect when you type and deliver it to bad actors. It’s a pretty big compounding risk and the main reason government agencies like the National Institute of Standards and Technology (NIST) and the FBI warn so often against using outdated MFA approaches.

Unprotected Machine Interactions

Despite how inefficient MFA is in regards to device sessions. Nor does it provide any kind of security for computer-to-computer sessions that occur behind a company’s firewall. In this regard, strong authentication is absolutely necessary to protect sessions between servers, apps, devices, and other network nodes.

One of the most used methods to try to solve this problem is achieved with an MFA based on public key infrastructure (PKI) which uses digital certificates. These certificates exchanged at the start of any session; they authenticate the identities of session users in a structured way and ensure that only specific computers have access.

But the point is that PKI is quite a complicated and complex technology, even more so in proportion to the total number of digital certificates. Realizing the intended outcome of a PKI implementation is going to require a great deal of experience and most of all, having the right tools.

Organizations trying to implement it may find better results by partnering with a trusted third party that is highly specialized in PKI and digital certificate lifecycle management.

Layer verification vulnerabilities

For added security, passwords aside, two-factor authentication (2FA) requires users to authenticate their identities with a token-based approach or using an external communication channel.

Authentication factors include knowledge (the answers to security questions); possession (one time password on a device); or inherence (personal attribute, such as a fingerprint). These factors are often called, respectively, “what you know”, “what you have” and “what you are”.

A simple example: after a successful password entry, the server generates another credential, like a kind of temporary code or an additional password; it is sent to the requesting device. These unique access codes associated with a password constitute a shared or “symmetric” secret which is highly susceptible to discovery.

Out-of-band (OOB) authentication is a kind of 2FA that requires two different communication channels: the internet connection and a phone call. Although these approaches complicate standard attacks, bad actors can still transfer a phone number to a device they own to gain OTPs through techniques such as SIM swapping.

This method was very successful in the midst of the attack on Twitter founder Jack Dorsey, where the attacker was able to trick a mobile carrier into transferring the phone number on Dorsey’s account to a SIM card.

2FA places the security burden on the user’s shoulders and more often than not, compromises the effectiveness of adding annoying user steps.

Different social engineering tricks

Social engineering, a process of persuading employees to take action based on a fake account or request that is driven by emotion, is a versatile and creative tool that many cybercriminals use to overcome outdated MFAs.

Thanks to social engineering, bad actors are able to gain access to private information: employee credentials, personally identifiable information of customers and employees, different types of accounts, chats, etc. Employees can be tricked into transferring money to different accounts pretending to be from vendors or partners; but they are being controlled by these ill-intentioned people.

Another thing that is possible is tricking users into installing malicious apps on their devices with various capabilities, such as screen recording. In March 2020, TrickBot appeared, a Trojan capable of recording the screen and seeing everything that happened, especially seeing messages with one-time passwords. SMS-based one-time passwords are a thing of the past and dangerous.

Share it with your friends!

Next Post

Neymar Jr and Luís Suárez will wear Puma's Future Z 1.3 Instinct boots

Neymar Jr. has declared that “the boot feels like an extension of the foot, which allows me to play without restrictions. This is the key to my way of playing”. (25-3-2022). Puma presents the edition of the Future Z 1.3 Instinct boots, packed with innovation and technology. The new generation […]
Neymar Jr and Luís Suárez will wear Puma's Future Z 1.3 Instinct boots