Multifactor authentication is not a panacea

Multifactor authentication (MFA) is still considered a secure solution for protecting e-mail accounts, bank accounts and other digital access points from hackers. But Roger A. Grimes (photo) lists a whole series of examples in his book "Hacking Multifactor Authentication" of how MFA can be leveraged without much effort. We spoke with the US security expert - and are giving away three copies of his book.

Roger A. Grimes Roger A. Grimes, US security expert and author

The trigger for the book "Hacking Multifactor Authentication" was a demo by his "friend and colleague" Kevin, Roger A. Grimes tells us in a video call from Florida. Kevin Mitnick is considered a hacker legend, who repeatedly broke into well-secured computer systems, was sentenced to prison for it, and was not allowed to use a computer for many years afterwards. And: who invented social engineering as a hacking method. 

MFA is good - but not completely secure

Have IT journalists been giving the wrong advice for years when recommending their readers to use two-step authentication as often as possible? "No, it's still good advice," Grimes explains, "but a lot of people who used MFA thought they didn't have to worry about getting hacked anymore." That, he says, is a mistake. For 30 years, he has watched hackers and malware circumvent MFA systems. His book is meant to be a counterpart of sorts, warning, "MFA is good, but it's not perfectly secure."

Some MFA systems are now so compromised that many a provider is going back to log-in and password, Grimes reports: "If passwords are strong enough and not shared, they're just as good as MFA." 

MFA locks out regular users

That's because MFA systems can also be used against users who are actually authorized: According to Grimes, crypto buyers were comparatively early adopters of MFA - but lost a lot of money in attacks. And while passwords are easy to change, this is not so easy with MFA. What's also occurring is that millions of users are no longer allowed to access their accounts because attackers have taken them over and enabled MFA to lock out the rightful holders. Also, according to Grimes, while online banks initially saw a decrease in attacks after MFA was introduced, they then saw an increase and eventually more successful attempts than before.

Still, he doesn't want to condemn MFA, the expert emphasizes: "In 90 to 95 percent of applications, it works great." Only the "perceived security" of many users is deceptive. Phishing attacks are still a danger when MFA is used, he says. "About 90 percent of MFA systems can be leveraged with it," explains the author, who has been involved in IT security for 34 years and spent 11 years working on Windows security at Microsoft. 

"My MFA hacking talk is the most successful of my career," Grimes reveals. "You should see the faces in the audience when I show them how easy it is to get past MFA with a Kevin Mitnick phishing email. They're shocked - and these are IT pros!" 

Grimes, on the other hand, is focusing on education and training employees. For example, not giving his pin codes to strangers over the phone and becoming easy victims.

Vulnerable to ransomware attacks

"MFA systems have been compromised over ten million times," Grimes is certain. One of the most successful methods in Germany continues to be 

  • simple phishing e-mails,  
  • the infiltration of malware through security holes in unpatched software, and

  • the encryption of data via ransomware followed by extortion.

"MFA can't do much about any of that," Grimes explains, "five to 10 percent of the time at most." MFA is thus "the wrong solution to the ransomware problem."

Even noted security expert Bruce Schneier warns, "Like all security techniques, MFA is not a panacea." Grimes calls MFA hacking book a "thoughtful demonstration."

In it, Grimes also explains in detail how attacks on MFA systems work - and how IT administrators can defend against them. "Anyone who tells you that MFA can't be hacked is either naive or trying to sell you something," he warns. 

Text: Helge Denker


Conditions of participation

By participating in the prize draw, you accept these conditions of participation:

The organizer of the raffle is ERGO Group AG, ERGO-Platz 1, 40198 Düsseldorf, Germany.

All natural persons who are at least 18 years old are eligible to participate. Excluded from participation are all employees of ERGO Group AG and its subsidiaries, their relatives and all persons involved in the conception and implementation of the prize draw.

Participation is free of charge and independent of the purchase of goods or services from the organizer. Multiple participation is not permitted and cash payment of the prize is not possible. ERGO is not responsible for messages submitted late or lost due to Internet delays or malfunctions, for problems or technical malfunctions with telephone, broadband or other networks, or for messages not arriving.

The respective winners will be notified by ERGO by e-mail. In this e-mail, the winners will be asked for a shipping address. If a winner does not get back to ERGO within three weeks, the claim to the prize will be forfeited. The prize will be sent by post to the address provided by the winner. The participant is responsible for the correctness of the address provided. 

Personal data such as first and last names, e-mail addresses and postal addresses will be used by ERGO exclusively for the purpose of the prize draw, to notify the winners and to send the books. This data will be treated as strictly confidential. The personal data used as part of the prize draw will be deleted immediately after the winners have been notified and the prizes have been handed over. The personal data used in the raffle will not be used for advertising purposes. 

The legal process is excluded.

Most popular