Has Multi-Factor Authentication Failed Us?

pcmag.com:

We at PCMag frequently exhort our readers to enable multi-factor authentication (MFA) whenever it’s available. Without MFA, any schmoe who steals, hacks, or guesses your password can access the related account. When MFA is engaged, the password isn’t enough. Getting into the account also requires another factor, like a fingerprint, or a security key.

For your personal accounts, MFA is usually optional, but businesses can require it for access to their internal systems. More companies than ever support MFA, yet 2022 was a terrible year for data breaches. Did MFA fail us?

A presentation at the RSA Conference in San Francisco explored this topic in detail, using prominent examples of data breaches involving MFA. The presenter, Dave Taku, is the Senior Director for Product Management and User Interface at RSA Security, a company whose business includes providing MFA to businesses. (Note that RSA Security is not directly connected with the RSA Conference.)

Taku led by noting that according to one survey, 78% of organizations were using MFA in 2022, up from 28% in 2017. So why are successful attacks on the rise? He presented a quote from author and philosopher Aldous Huxley for the audience’s consideration: “There is a law of Reversed Effort. The harder we try with the conscious will to do something, the less we shall succeed.”

“Is that what we’re facing? The harder we try with MFA, the less successful we’re becoming at it?” said Taku. “I would argue that in this particular case, maybe that law doesn’t apply. It’s not because MFA is becoming less effective, it’s because the attack surface is increasing.”

Taku discussed three specific attacks involving three different vectors: MFA configuration, the MFA provider, and the MFA