The Good, the Bad, and the Ugly About MFA
I have been in computer security for over 34 years now. Yeah, even I cannot believe how long it has been. I have been a penetration tester over 20 of those years and worked on dozens of MFA and MFA hacking projects. But it was not until I developed a webinar for KnowBe4 called the 12 Ways to Hack MFA that I understood how many people were craving any information on MFA that they could find. It easily became my most requested webinar, and it still is. I taught it to hundreds of groups over the last two years, and I had standing-room only crowds at both Black Hat and RSA security conferences when they were available in person. I ended up writing an e-book on it for KnowBe4 and even helped to develop a quiz tool that mimicked my brain trying to hack your favorite MFA solution. Along the journey I learned about many more ways to hack various types of MFA. I ended up putting the over 50 ways anyone can hack MFA into a Wiley book called, Hacking Multifactor Authentication.
In the process of all that activity, writing, and testing, I have hacked or security reviewed over 150 MFA products. I have learned a lot. I have even learned new things I wish I had put in the book. I am going to share the most important facts that I have learned about MFA solutions over the last few years in my latest webinar on the subject, “Hacking Multifactor Authentication: An IT Pro’s Lessons Learned After Testing 150 MFA Solutions”. The first showing is March 10 th@ 2:00 PM ET. If you are interested in learning more about MFA, you should attend this webinar.
In the webinar, I start out by discussing all the different types of MFA, including some obscure ones that most people have probably never heard of. Then I discuss how the different types of MFA solutions can be hacked. I cover what the best types of MFA do to prevent attacks and I cover the MFA solutions that, I myself, would never use, if I didn’t have to. It is the good, the bad, and the ugly about MFA. I even tell you how you can pick the best MFA for yourself and your organization.
Let me share a few tidbits that I discuss in the webinar:
- How your favorite MFA solution can be hacked
- What is wrong with SMS-based MFA and why you should not use it, if you can avoid it
- The good and bad about phone-based MFA
- What makes one OTP MFA solution better than another
- What MFA standards you should look for when choosing a solution
- When you should run away from an MFA vendor
It also contains another video of uber hacker and KnowBe4’s chief hacking officer, Kevin Mitnick, bypassing a very popular web service’s MFA like it was not even there.