The World's Best Security Services Blog | Brosnan Security

How Secure Are your Accounts?

Written by Brosnan Insight | Mar 6, 2023 10:18:48 PM

How Secure Are your Accounts?
You may have seen the recent debate about Twitter’s decision to remove the text message two-factor authentication (2FA) option for all but Twitter Blue paid subscribers. While many decried the decision, it’s been proven that SMS 2FA at login is the weakest option available and is vulnerable to hackers. By removing the option for most users, Twitter is attempting to push them to implement stronger account security measures. The challenge is that millions of twitter accounts don’t have any form of 2FA enabled.

With most breaches happening at the point of login, account security is the most important way to protect yourself and your business. We’ve put together an overview of what’s happening in the multifactor authentication (MFA) space and how to upgrade your personal and business accounts to phishing-resistant MFA.

Is Your MFA Phishing-Resistant?
Multifactor authentication (MFA) at the point of login has become a priority for businesses as cybercriminals increasingly target this weak link in application and network security. It plays such an important role in security programs that cyber insurance providers require MFA to purchase or renew policies.

If MFA is a new term for you, it simply means adding an additional login factor so that if a password is compromised, criminals won’t be able to access the account without the second factor. You are probably familiar with the common SMS or Voice MFA that sends a unique code to your mobile device or email.


MFA Attacks Are on the Rise
According to a recent report from Okta’s Auth0 team, cybercriminals have stepped up their
attacks on MFA. These attacks are at their highest levels, with around 113 million MFA attacks
logged on Okta’s network within the first 90 days of 2022.

The two most prevalent attacks against MFA are push bombing and phishing. Push bombing is when a hacker enters your stolen password into an identity platform, triggering a push notification to your mobile device. The hacker keeps generating these push notifications until you become confused or fatigued and grant access. This is the type of attack hacker group Lapsus$ used to gain access to Microsoft, Uber and many other organizations. Phishing attacks are a form of social engineering that trick you into disclosing login credentials. Typically, phishing uses email, phone or texts that appear to be from reputable companies.

The IBM 2022 Cost of Data Breach report found that data breaches in the United States cost an average of $9.44M per incident. The report also found that breaches caused by stolen or compromised login credentials took the longest time to identify and cost $150,000 more than the average incident.


Phishing-Resistant MFA Is the New Gold Standard
The SMS and Voice MFA many sites still use today is one of the most vulnerable types of MFA. A few steps up from that is MFA that uses one-time passwords (OTP), number matching or token-based OTP. This MFA setup is resistant to push bombing but has remained vulnerable to phishing. With so much at stake, the US government now requires federal agencies to implement phishing-resistant MFA, and many other large organizations are following suit.

This new breed of MFA is mostly built on the FIDO/WebAuthn framework. It either issues physical tokens connected to a device or is embedded into your devices. FIDO can incorporate various factors, including PIN codes and biometrics.

More cybersecurity and software vendors are adding phishing-resistant MFA every day, such as Google and Microsoft with their authenticator apps. However, some systems don't support it yet.

How to Protect Your Business
Cybercriminals continue to evolve tactics and ramp up attacks against businesses of all sizes. Phishing-resistant MFA is one of the best ways to protect your business because it shores up the most common attack surface.

When implementing or upgrading your MFA, step one is to make sure your high-value targets, like admin accounts, are protected by phishing-resistant MFA. Then, focus on rolling it out across all accounts and educating your staff on the importance of this new login process.

CISA has a helpful breakdown of the various types of MFA, their vulnerabilities, and how you
can implement phishing-resistant MFA in your business.