Everyone in the cyber insurance industry or trying to get cyber insurance today knows that using multifactor authentication (MFA) is an absolute make-or-break requirement for getting a cyber insurance policy; or if you can get a policy without MFA, you will pay a hefty increased premium for the same amount of coverage.
Most cybersecurity experts and the cyber insurance industry are telling everyone to get MFA. Many cybersecurity experts say that using MFA is the single best thing an individual or organisation can do to best reduce cybersecurity risk. Some nationally recognised experts and the largest trusted cyber organisations go so far as to say that MFA prevents 99% of all hacking! Sounds like a no-brainer.
My painful prediction is that the cybersecurity industry will continue to tout using MFA as the best way to reduce cybersecurity attacks and then learn, this year, that people and organisations using MFA were still hacked an awful lot. Within a year, people will learn that using any MFA is not the panacea solution that it has been touted to be. Hacking will continue nearly unabated and losses will continue to pile up as the truth becomes self-evident.
MFA is good and everyone should use it where they can to protect valuable data and systems.
Unfortunately, the insurance industry and their customers are going to learn that using ANY MFA is not going to be as helpful in reducing risk as they thought. Unfortunately, about 90% to 95% of MFA is as easily hackable as the passwords they are intended to replace. Yep, you read that right. And hackers have been bypassing most MFA for decades and the U.S. government has been telling people not to use easily phishable MFA at least since 2017. Consumers and the insurance industry are about to find out why.
MFA that is tied to telephone numbers (like SMS-based and voice-based MFA), uses “one-time” codes, or utilises “push-based” technologies that are easily phishable. This means an attacker can use a simple social engineering attack that works just as well against those types of MFA as it does against passwords. If you’re interested in learning about the various techniques hackers use to phish MFA users, see this article for more details: https://www.linkedin.com/pulse/dont-use-easily-phishable-mfa-thats-most-roger-grimes.
Hacking easily phishable MFA is well-known in cybersecurity. It is not a theoretical risk. Weaker MFA has been hacked millions of times over the decade. So much so, the U.S. government, in 2017, in NIST SP 800-63 said not to use it. In 2021, Presidential executive order (EO 14028) had a clarifying follow-up memo that stated, “…systems must discontinue support for authentication methods that fail to resist phishing, such as protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.” That pretty much describes 90% to 95% of the MFA used today. In 2022, the OMB stated that “…phishing-resistant MFA is required.” Although these directives only apply to organisations under the purview of the U.S. government, it should apply to every organisation and person worldwide. The risks are the same.
To be clear, consumers should use phishing-resistant MFA whenever they can. But either way, regardless of whether the MFA solution someone is using is considered easily phishable or phishing-resistant, all MFA users should be educated about the common types of attacks against their type of MFA and how to recognise, prevent, and report those attacks. We do not tell people to use passwords without some basic education. We need to do the same for MFA.
And if you are telling someone they need to use MFA, make sure to say PHISHING-RESISTANT MFA and not just any MFA. There is a world of difference. A difference that will become overly clear this year. If you’re interested in what types of MFA are considered phishing-resistant, one list that is constantly updated is: https://www.linkedin.com/pulse/my-list-good-strong-mfa-roger-grimes.