We have multi-factor authentication (MFA) across our entire company, yet I still see reports of "MFA Fatigue" attacks and session hijacking. Is MFA still a reliable defense against data breaches, or do we need to analytically shift toward passwordless or FIDO2-based authentication?
3 answers
Traditional MFA (like SMS or push-to-accept) is no longer a silver bullet. Attackers are now using "Adversary-in-the-Middle" (AiTM) proxies to steal session cookies, bypassing the need for a second code entirely. Analytically, you need to evaluate your authentication risk. The shift toward FIDO2/WebAuthn (security keys) is the best logical move because these are "phishing-resistant." Unlike a code you type in, these create a cryptographic link between the device and the specific website. If the site is a fake, the key won't fire. For 2024, moving your high-privilege users (admins, execs) to hardware keys or platform-based biometrics is the most effective way to close the credential-abuse loophole.
Does "Passwordless" authentication actually simplify the user experience, or does it just create a new set of helpdesk tickets when people lose their physical keys?
If you stick with push-MFA, at least enable "Number Matching." It forces the user to look at the screen and type a code, which effectively kills MFA fatigue attacks overnight.
Great tip, Kevin! Number matching is a simple, high-impact logical fix that doesn't require a total infrastructure overhaul but significantly boosts your defense against social engineering.
William, it actually simplifies it if you use "Platform Authenticators" like Windows Hello or FaceID. Users don't need to carry a separate key; their laptop or phone is the key. While there is an initial setup hurdle, the reduction in "forgot password" tickets usually offsets any issues with lost hardware. From an analytical standpoint, it removes the weakest link—the human memory—from the security equation entirely.