COMMENTARY

The unfolding story of recent attacks on prominent organizations is shaping up to be the cybersecurity equivalent of action movies. As a child, I would stare at the screen with rapt attention as the hero fought valiantly to overcome the evil of the story’s antagonist. There would be trials and tribulations, and the protagonist would invariably find a way to overcome the adversity, much to the delight of the audience.

Often that victory came in the form of an almost magical solution. In some cases, these proverbial silver bullets appeared to put an end to the vampires or werewolves. We were led to believe that silver bullets would solve our difficult situations. Unfortunately, that was never our reality.

The temptation to believe that silver bullets can solve our most difficult situations lives on in the world of modern cybersecurity. How many times have we heard that “(insert name) technology is dead!” and that another solution will emerge to solve all the ills of the security landscape?

Multi-factor authentication (MFA) seems to be a miracle cure this summer, but unfortunately there is no magic bullet for cybersecurity.

What MFA cannot do

The focus on MFA makes sense. The attacks on cloud-based data platforms that have dominated the news have largely been based on credentials, with hyperscaler Snowflake finding that compromised customer accounts lacked MFA. MFA is a solid tool for reducing risk to an organization, and Snowflake’s decision to launch features that mandate MFA was a smart move.

But MFA isn’t enough, and it never was. Even with MFA, there’s the potential for social engineering. I’ve personally received text messages that appeared to be from the CEO of a company I worked for, saying they’d lost their phone and asking me to send them an MFA token so they could log in. While this example may seem laughable to those of us with a security background, it’s been proven to work.

MFA doesn’t prevent attackers from setting up malicious Wi-Fi hotspots or using Domain Name System (DNS) spoofing to redirect users to a fake login page — two techniques used to steal MFA codes and session tokens. Have you used the coffee shop Wi-Fi lately?

The third example I’ll mention is SIM swapping, where the attacker takes control of the user’s phone number to intercept MFA codes sent via SMS. MFA isn’t always MFA: if your authentication code is sent to the same compromised device you use to access an app, there’s nothing “multiple” about it. SMS codes are a poor substitute for good security.

Beyond MFA

With so many data breaches in the news lately, we need to be able to do better. How do security teams improve their posture and reduce risk to their organizations? The Ron Popeil method of “set it and forget it” does little to improve matters from a security perspective.

There are many steps that can be taken to protect an organization. Passkeys, for example, allow users to log into their accounts without having to remember or type passwords.

A second step is to check the security status of the devices that connect to your organization’s resources. For example, is that laptop that connects from abroad supposed to do so? Is there someone working for your organization near you? Are the laptop’s software and operating system patched to the current version?

Finally, passwords are the control that we often overlook in the enterprise. How are they managed? Are the passwords being used unique in their composition? Even with MFA in place, we’re still stuck with passwords as part of the mix. They’re not going away anytime soon. If your employees are using weak, memorable passwords because they don’t have the right tools, your organization could be at risk.

There is no miracle cure

We all want to be the hero of our own story, but the magical triumphs that crowned my favorite childhood movies simply don’t translate to the world of modern cybersecurity.

MFA is an important solution. It can certainly help. But it is certainly not the magic bullet that will save the day.