MFA - Why Your Second Factor Might Be as Weak as Your First!

Written by Louise Ralston
Nov 5, 2024 - 7 minute read

Why phishing-resistant MFA is crucial for modern cybersecurity and how to choose the best MFA to defend against phishing attacks and protect sensitive data.

When it comes to multi-factor authentication (MFA), it’s safe to say that not all MFA is created equal. We’re here to help you navigate the MFA maze and choose the best phishing-resistant MFA to protect against today’s sneakiest phishing attacks. Let’s dive into why having MFA is essential.

Why Your Basic MFA Might Be Letting You Down

It’s no secret that we’re huge fans of multi-factor authentication. Call it 2-step verification (2SV) or two-factor authentication (2FA)—this security hero protects against a whole host of common attacks on user accounts. Back in 2018, the National Cyber Security Centre (NCSC) cybersecurity guidance came with a loud call to action: every organisation needed to roll out 2FA on any part of their corporate IT that connects to the internet. The goal? Simple: make it more challenging for attackers to break in.

Then, along came the cloud. As organisations moved their digital services online, these cloud-based setups opened more doors for potential threats and cyberattacks. That’s when the NCSC urged everyone to get serious by layering in phishing-resistant MFA. Fast forward to today, and we still see significant data breaches that could’ve been avoided with mandatory MFA.

Attackers Are Getting Smarter, So Should Your MFA

MFA still makes a huge difference compared to relying solely on passwords. But here’s the twist: attackers have been evolving too. They’ve learned that a well-timed social engineering attack can trick users into not only giving up passwords but also bypassing some basic MFA protections. This rise in phishing attacks on MFA-protected accounts is why the NCSC has updated their  MFA guidance, and we are now following suit to help organisations spot which types of MFA will hold up against modern phishing techniques. It’s all about choosing the right kind of armour.

Phishing-Resistant MFA: The MVP of Modern Cybersecurity

Our updated MFA guidance during the Cyber Essential Certification process covers the strengths and weaknesses of different multi-factor authentication methods, but here’s the gist: you want phishing-resistant MFA. Strong authentication offers solid security without drowning users in constant prompts. That way, MFA doesn’t become a hassle people try to avoid (we’ve all been there). Instead, it pops up only when it’s genuinely needed—helping to avoid security fatigue.

For example, the NCSC now requires phishing-resistant MFA to access single sign-on service for corporate accounts as part of the Cyber Essentials Assessment criteria. Thanks to mobile device management (MDM),  phones and laptops automatically act as vital MFA factors, meaning users don’t face unnecessary login hoops. It’s secure multi-factor authentication without the stress.

Avoid These Common MFA Pitfalls

Our guidance also includes a list of MFA anti-patterns—rookie mistakes that can weaken your security. By removing these pitfalls and following best practices for MFA, you can keep your security posture strong without creating extra headaches for users. If your organisation handles sensitive data or has roles requiring elevated access, we’ve also included specific MFA recommendations to help you protect administrative privileges effectively.

Future-Proofing Your Security with Zero Trust and Passwordless Solutions

Here’s the reality check: attackers will keep coming, and authentication will remain a significant target. It’s not just about keeping the bad guys out; it’s also about making life easy for legitimate users trying to get in. As cybersecurity moves towards zero-trust architectures and passwordless solutions, more organisations are adopting these approaches to keep their defences robust and adaptive. Adding phishing-resistant MFA is one of the best ways to start future-proofing your organisation’s security.

 

So, remember: when it comes to multi-factor authentication, one size doesn’t fit all. Start with the strongest, phishing-resistant MFA options available, and your organisation will be well on its way to more secure, seamless, and innovative cybersecurity.

4o

Topics: Compliance, Business Security, Cyber Security, Information Security, Passwords, Phishing, best practise, 2MFA

author

More by Louise Ralston

Related articles
Monthly Cyber Compliance: The Hackers’ Worst Nightmare!

Stay ahead of cyber threats with monthly vulnerability assessments and penetration testing to identify and fix weaknesses, ensuring a robust and secure network.

Cybersecurity Certifications: The Key to Business Compliance and Cyber Security.

Achieve cybersecurity compliance and build customer trust with certifications like Cyber Essentials, Cyber Baseline, and Cyber Assurance. Learn why these certifications are crucial for modern businesses.

Why Stick to Annual Penetration Tests When Hackers Attack Year-Round?

Explore the crucial benefits of switching from annual to monthly penetration testing and vulnerability analysis for UK businesses. Learn how Managed Service Providers (MSPs) can effectively use monthly cyber vigilance to thwart hackers and enhance cybersecurity.