Despite the growing levels of global cyber threats, roll-out of even basic multi-factor authentication (MFA) remains a low-level priority for many organizations. And, with new techniques such as prompt bombing being used to beat older versions of MFA, it is more critical than ever that organizations implement robust authentication solutions to protect their customers.
According to the 2022 Cyberthreat Defence Report, more than 43% of the 1 200 surveyed global IT decision makers said they had not yet deployed even basic MFA. What’s more, while there had been a healthy 7% increase in MFA uptake in the previous year, a further 11.4% said they had no intention of deploying the security technology in the next 12 months.
More than 43% of decision makers reported that their organizations have not deployed MFA.
For now, many organizations find themselves in a comfort zone regarding their authentication technology, yet this will not last. Logging in to a website or service using a username and password remains the favored method of numerous organizations. This is due to a combination of complacency, misunderstanding regarding the perceived complexities of introducing MFA and an attempt to avoid any inconvenience.
Prompt bombing – the new digital security threat on the block
While the rapid increase in remote working has accelerated MFA adoption from some companies, the numbers are still far too low when viewed in relation to the actual threat level. And, in the wake of new threats such as prompt bombing, companies must take action or they could face more than just the reputational damage of a data breach.
MFA prompt bombing first surfaced around 24 months ago, largely in response to the rise in well-known MFA techniques such as mobile push notifications being employed. We know that hackers continuously evolve the way they intercept data and gain access to our accounts and, as more of us moved away from traditional username and password and towards basic MFA, they also had to adapt. For countries that haven’t experienced prompt bombing attacks at scale, it is simply a matter of time.
These methods include: sending a flurry of MFA requests in the hope that the user will grant access to make them stop; sending one or two requests each day in a more subtle attempt to gain access; calling users and pretending to be from a service provider and duping them into granting access via a similar MFA process.
FIDO2 and passwordless authentication could hold the key
One way to avoid these prompt bombing attacks is to adopt the FIDO2 passwordless authentication framework which requires that the device in the user’s possession is authenticated through an embedded key which can be unlocked, usually though biometrics.
FIDO2 comes with a number of benefits over and above its significantly better security levels. The framework is platform-agnostic, offering a more efficient authentication process without the need for passwords for account access or online payments. It is also impervious to man-in-the-middle and other related attacks while still allowing users to authenticate themselves across channels and devices at a moment’s notice. A big challenge facing companies relying on in-app or push-authentication is that there is always a small portion of customers who don’t have, or want, their apps. FIDO2 offers a workaround for this, while also offering advanced protection for companies choosing not to make use of apps. Moreover, it offers a better user experience at a lower operating cost.
A growing risk to company data
While prompt bombing may not be a major part of the mainstream threat playbook in certain countries, organizations still have their hands full when it comes to protecting their data. Account takeover fraud such as SIM-swap fraud is a real concern at the moment. In this instance fraudsters use a combination of social engineering tactics to gather relevant personal information. They then use this to get the victim’s phone number ported to one of their SIM cards, enabling them to intercept important authentication messages and OTPs.
Man-in-the-middle attacks are another big risk, occurring when fraudsters create dummy web pages which look like legitimate websites. Users are tricked into visiting these through emails and text messages posing as a service provider. When the user inputs their normal login details, the fraudsters gain access to their details and quickly empty accounts or steal sensitive information.
Not all MFA solutions are created equal. Opting for the most basic version is no longer good enough.
There is an onus on the user to inform themselves about new threats and to remain vigilant in protecting themselves against them, but we really should be demanding better protection of our data from the institutions we support. Organizations can no longer rely on outdated or weak MFA mechanisms for protection – especially if it’s just a password and SMS OTP option. It’s essential that authentication is implemented that embraces the full context of the user and their connection. This includes the channel the user is on and even context about the customer themselves, their devices and their unique characteristics.
It’s clear that not all MFA is created equal and opting for the most basic version is simply no longer good enough.
Get in touch with us to explore the best authentication solution for your organization based on your priorities and your customers’ preferences.