While a great layer of security, attackers and red teams prove MFA isn’t 100% secure

MFA, or multi-factor authentication, is a way used to ensure that digital users are who they say they are. Consumers and organizations must provide 2 pieces of evidence to prove their identity. 

MFA is a great security measure for organizations to use. However, MFA doesn’t completely secure businesses from attackers. Bad actors can still bypass MFA to gain access to networks.

While a great layer of security, attackers and red teams prove MFA isn’t 100% secure

MFA, or multi-factor authentication, is a way used to ensure that digital users are who they say they are. Consumers and organizations must provide 2 pieces of evidence to prove their identity. 

MFA is a great security measure for organizations to use. However, MFA doesn’t completely secure businesses from attackers. Bad actors can still bypass MFA to gain access to networks.

Loopholes for Attackers

Attackers can still work around MFA using 4 different methods. For example, they can steal private keys for single sign-on (SSO) infrastructure. Then, attackers can use those keys to bypass MFA checks.

To stay secure, organizations must review their MFA infrastructure. Then, they need to identify any weaknesses. 

The popularity of MFA has risen in recent years for businesses and consumers alike. Research confirms that this layer of security is valid, too. One study from Microsoft found that accounts are 99.9% more secure with MFA. 


While a strong password is important, other security measures need to be in place. And MFA makes for an excellent addition to both consumers and organizations security.

How Secure is MFA?

Remote work over the last year has created new challenges for organizations’ security. Even with MFA, attackers have been looking for new ways to bypass this security measure. And employees working from home gives them that opportunity. 

Attackers are hunting for ways around the technology. Some discovered security failures with organizations’ MFA include: 

  • SSO portals with architectural design flaws
  • MFA not based on identity 
  • Insecure onboarding of new users 
  • Crossing channels

Requiring MFA for remote desktop access, but not for other ports or applications 

These security loopholes provide bad actors access to an organization’s system. This access can mean gaining credentials for higher-privileged users. It can also mean giving hackers access to the entire machine.

How Secure is MFA?

Remote work over the last year has created new challenges for organizations’ security. Even with MFA, attackers have been looking for new ways to bypass this security measure. And employees working from home gives them that opportunity. 

Attackers are hunting for ways around the technology. Some discovered security failures with organizations’ MFA include: 

  • SSO portals with architectural design flaws
  • MFA not based on identity 
  • Insecure onboarding of new users 
  • Crossing channels

Requiring MFA for remote desktop access, but not for other ports or applications 

These security loopholes provide bad actors access to an organization’s system. This access can mean gaining credentials for higher-privileged users. It can also mean giving hackers access to the entire machine.

MFA Solutions for Organizations

So what can organizations do? For one, they should audit their MFA infrastructure. Then, they should analyze possible vulnerabilities. Finally, organizations need to design threat models.

Threat models allow companies to understand how to identify potential threats. Then, they can define countermeasures to prevent or mitigate those threats.

As is true for most IT security measures, MFA should be one element in a broader security plan. An organization should encourage employees to have strong passwords. It’s also important to have well designed SSO portals. Organizations should also make sure the entire machine is secure across channels.

MFA Solutions for Organizations

So what can organizations do? For one, they should audit their MFA infrastructure. Then, they should analyze possible vulnerabilities. Finally, organizations need to design threat models.

Threat models allow companies to understand how to identify potential threats. Then, they can define countermeasures to prevent or mitigate those threats.

As is true for most IT security measures, MFA should be one element in a broader security plan. An organization should encourage employees to have strong passwords. It’s also important to have well designed SSO portals. Organizations should also make sure the entire machine is secure across channels.

Summary

MFA is a great layer of security for consumers and organizations alike. But organizations need to vet and test their MFA system to make sure it’s actually secure.

Summary

MFA is a great layer of security for consumers and organizations alike. But organizations need to vet and test their MFA system to make sure it’s actually secure.