As the saying goes, malicious actors don’t break in—they log in. There’s a significant truth in that statement. Today, many organizations struggle to protect their staff from credential phishing, a challenge that’s only grown as attackers increasingly execute “MFA bypass” attacks. 

In an MFA bypass attack, threat actors use social engineering techniques to trick victims into providing their username and password on a fake website. If victims are using “legacy MFA” (such as SMS, authenticator apps, or push notifications), the attackers simply request the MFA code or trigger the push notification. If they can convince someone to reveal two pieces of information (username and password), they can likely manipulate them into sharing three (username, password, and MFA code or action). 

Make no mistake—any form of MFA is better than no MFA. But recent attacks make it clear: legacy MFA is no match for modern threats. So, what can organizations do? Sometimes a case study can answer that question.

Today, CISA and the USDA are releasing a case study that details the USDA’s deployment of FIDO capabilities to approximately 40,000 staff. While most of their staff have been issued government-standard Personal Identity Verification (PIV) smartcards, this technology is not suitable for all employees, such as seasonal staff or those working in specialized lab environments where decontamination procedures could damage standard PIV cards. This case study outlines the challenges the USDA faced, how they built their identity system, and their recommendations to other enterprises. Our personal favorite recommendation: “Always be piloting”.

FIDO authentication addresses MFA-bypass attacks by using modern cryptographic techniques built into the operating systems, phones, and browsers we already use. Single sign-on (SSO) providers and popular websites also support FIDO authentication. 


More

What is a passkey? Why Apple is betting on password-free tech

The digital realm has long struggled with the vulnerabilities inherent in password-based authentication systems. With…

Read More →

The Register: AWS is pushing ahead with MFA for privileged accounts. What that means for you.

AWS is making multi-factor authentication (MFA) mandatory for privileged users, specifically management account root users…

Read More →

IT Brew: FIDO Alliance announces identity-proofing certification

FIDO’s Face Verification Certification tests for security, liveness, and bias in remote identity verification technology…

Read More →