Cyber Hygiene – Phishing Resistant MFA and Complex Passwords

Despite all the hype, many organizations implementing multifactor authentication (MFA) and complex passwords can still fall victim to cyber attacks. Multiple threat actor types are increasingly bypassing MFA controls, typically through MFA push notification fatigue or exploiting weaknesses in self-enrollment configurations, to gain access to a victim’s network. In fact, past compromises impacting Okta, Twilio, Cloudflare, and Cisco highlight the determination and success threat actors are exhibiting at gaining valid credentials, including accounts with MFA controls. Consequently, MFA solutions using text-based one-time passwords are the least secure and can be bypassed. More secure forms of MFA include, but are not limited to, hardware-based USB security keys, biometric security, or smart cards. Additionally, while employees may have adopted passwords with special characters and increasing length, often they surround a word with numbers and special characters that can be trivially cracked within minutes. To overcome this threat, it’s recommended to not enforce regular password changes, focus on overall password length versus complexity, and screen passwords against commonly used dictionary words. Read more about Phishing Resistant MFA at HelpNetSecuirty or read more about complex passwords at BleepingComputer.