Without FIDO2, MFA Falls Short

[MuzzMelbourne]

Remember when multifactor authentication (MFA) gave security professionals that nice, warm feeling that their data and users were protected? Those days are over. Traditional approaches to MFA don't cut it anymore, as attackers have developed effective workarounds for cracking that door wide open. For proof, consider last year's headline-grabbing breaches at Okta, Uber, and Cisco, just to name a few. A better approach is urgently needed — and it starts with the FIDO2 user authentication specifications.

Without FIDO2, MFA Falls Short

The open authentication standard addresses existing multifactor authentication security vulnerabilities.

www.darkreading.com

 

[ForgottenSeer 98186]

Traditional approaches to MFA don't cut it anymore, as attackers have developed effective workarounds for cracking that door wide open. For proof, consider last year's headline-grabbing breaches at Okta, Uber, and Cisco, just to name a few.

A hack of Authy (which further lead to a hack of Okta, Lastpass, et al) due to a subcontractor losing control of their weakly-protected laptop is not a "workaround" by threat actors. Even with the benefit of the Authy subcontractor's laptop, it was not trivial after they gained access to the Authy backend. Anyway... the article makes some good points, the most important of which are:

1. FIDO2 key costs
2. People are the Point of Failure