An article today by TechRadar about a new Phishng-as-a-Service with MFA bypass as a key selling point reminded me of something from a few years back, I was at a security event and attending a presentation by a reputable cyber security form on social engineering.
Towards the end of the presentation they began summarising some great practical advice for defence but then went on to say something that I found pretty shocking:
“Enable MFA, it’s the silver bullet for phishing”.
Not only was this unusual language – anyone in security knows that there are no absolutes (just ask Bitfi who realised claiming their product ‘unhackable’ was just a red rag to a bull) – I was already aware of several reports of techniques and services available for circumventing the protection afforded by MFA.
(Also, in my head the only Silver Bullet worth anything is the group that made the song 20 Seconds to Comply)
MFA is good
Now don’t get me wrong, MFA is a great layer of security for an application or system that supports it and you should definitely enable it where possible but it is just that, a layer of defence – it can never be The Solution because there will never be ‘one solution’ to all threats (despite what vendors selling all singing, all dancing AI-powred glow-in-the-dark solutions may tell you).
The article by TechRadar is another reminder that to secure your organisation, you can’t just flick a switch, enable a feature or buy a bit of kit/software.
Starting with a risk based approach to what you need to protect, modelling threats and then designing a layered defence/mitigation strategy – which is regularly reviewed – is the only way to get a solid, evolving and layered defence strategy in place.