Cyber Security

Is MFA enough to prevent credential-based data breaches in 2024?

JA Asked by James Anderson · 20-10-2023
0 upvotes 12,905 views 0 comments
The question

We have multi-factor authentication (MFA) across our entire company, yet I still see reports of "MFA Fatigue" attacks and session hijacking. Is MFA still a reliable defense against data breaches, or do we need to analytically shift toward passwordless or FIDO2-based authentication? 

3 answers

0
SA
Answered on 22-10-2023

Traditional MFA (like SMS or push-to-accept) is no longer a silver bullet. Attackers are now using "Adversary-in-the-Middle" (AiTM) proxies to steal session cookies, bypassing the need for a second code entirely. Analytically, you need to evaluate your authentication risk. The shift toward FIDO2/WebAuthn (security keys) is the best logical move because these are "phishing-resistant." Unlike a code you type in, these create a cryptographic link between the device and the specific website. If the site is a fake, the key won't fire. For 2024, moving your high-privilege users (admins, execs) to hardware keys or platform-based biometrics is the most effective way to close the credential-abuse loophole.

0
WI
Answered on 24-10-2023

Does "Passwordless" authentication actually simplify the user experience, or does it just create a new set of helpdesk tickets when people lose their physical keys?

CH 25-10-2023

William, it actually simplifies it if you use "Platform Authenticators" like Windows Hello or FaceID. Users don't need to carry a separate key; their laptop or phone is the key. While there is an initial setup hurdle, the reduction in "forgot password" tickets usually offsets any issues with lost hardware. From an analytical standpoint, it removes the weakest link—the human memory—from the security equation entirely.

0
KE
Answered on 26-10-2023

If you stick with push-MFA, at least enable "Number Matching." It forces the user to look at the screen and type a code, which effectively kills MFA fatigue attacks overnight.

J 27-10-2023

Great tip, Kevin! Number matching is a simple, high-impact logical fix that doesn't require a total infrastructure overhaul but significantly boosts your defense against social engineering.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

World globe icon Country: Canada

Book Free Session