Multi-factor authentication (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential.
That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors have both successfully defeated the protection.
Enter MFA prompt bombing
The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies balancing the needs of both security and simplicity of use. It gives end users the option of using fingerprint readers or cameras built into the devices or dedicated security keys to confirm they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have yet to adopt them.