As the saying goes, malicious actors don’t break in—they log in. There’s a significant truth in that statement. Today, many organizations struggle to protect their staff from credential phishing, a challenge that’s only grown as attackers increasingly execute “MFA bypass” attacks. 

In an MFA bypass attack, threat actors use social engineering techniques to trick victims into providing their username and password on a fake website. If victims are using “legacy MFA” (such as SMS, authenticator apps, or push notifications), the attackers simply request the MFA code or trigger the push notification. If they can convince someone to reveal two pieces of information (username and password), they can likely manipulate them into sharing three (username, password, and MFA code or action). 

Make no mistake—any form of MFA is better than no MFA. But recent attacks make it clear: legacy MFA is no match for modern threats. So, what can organizations do? Sometimes a case study can answer that question.

Today, CISA and the USDA are releasing a case study that details the USDA’s deployment of FIDO capabilities to approximately 40,000 staff. While most of their staff have been issued government-standard Personal Identity Verification (PIV) smartcards, this technology is not suitable for all employees, such as seasonal staff or those working in specialized lab environments where decontamination procedures could damage standard PIV cards. This case study outlines the challenges the USDA faced, how they built their identity system, and their recommendations to other enterprises. Our personal favorite recommendation: “Always be piloting”.

FIDO authentication addresses MFA-bypass attacks by using modern cryptographic techniques built into the operating systems, phones, and browsers we already use. Single sign-on (SSO) providers and popular websites also support FIDO authentication. 


More

Yuno Rolls Out Mastercard Payment Passkey in Latin America to Combat Fraud and Streamline Checkouts

Global payments orchestrator Yuno is launching the Mastercard Payment Passkey Service across Latin America, enabling merchants in the region…

Read More →

Goodbye to manual card entry: Mastercard reveals when the new era of one-click online payments begins

Changes are on the way for online shopping and e-commerce. The traditional way of paying for…

Read More →

MobileIDWorld: Passkey Adoption Surges 550% in 2024 as Bitwarden Reports 1.1M New Implementations

The adoption of passkeys in digital authentication has shown significant growth throughout 2024, building on…

Read More →


123260 Next