Strong Multifactor Authentication (MFA): The Top Security Control for Q4 2024

In an era where cyber threats evolve faster than ever, one thing is clear: not all multifactor authentication (MFA) is created equal. While MFA has long been a trusted layer of security for businesses, recent developments in attack techniques have exposed weaknesses in older, more traditional MFA methods. As a result, this quarter, we’ve chosen “Strong Multifactor Authentication (MFA)” as the top security control for Q4 2024. This blog will explore why your organization should urgently transition to more robust MFA solutions, such as hardware tokens, passkeys, and biometrics, to stay ahead of the latest threats.

The Evolution of Multifactor Authentication Threats

MFA, once considered the gold standard of authentication security, is under siege by increasingly sophisticated cybercriminals. Tactics like MFA fatigue attacks, phishing for one-time codes, and SIM swapping have proven to be effective methods for bypassing weaker MFA implementations.

In 2023, we saw an alarming rise in MFA-related breaches, according to Verizon’s 2023 Data Breach Investigations Report. Attackers are no longer content with phishing passwords alone; now they’ve figured out ways to trick users into granting access even when multifactor authentication is in place. For example, criminals often overwhelm users with constant MFA push notifications until they approve a request in a moment of frustration—also known as an MFA fatigue attack.

The methods of bypassing MFA are advancing just as quickly as the security measures themselves, which is why stronger MFA solutions have become essential.

Three Real-World Examples of MFA Bypass Attacks

Case Study 1: The Microsoft 365 Phishing Campaign

One of the most striking examples of a multifactor authentication bypass attack occurred in early 2023 when a phishing campaign targeted Microsoft 365 users. Attackers used sophisticated phishing techniques to gain access to user credentials and bypass MFA by tricking victims into entering their one-time passwords (OTPs). This breach underscored how attackers can manipulate traditional multifactor authentication mechanisms like SMS codes and app-based OTPs, which are not foolproof when users can be tricked into providing the information themselves.

According to Security Magazine, this attack highlighted the urgent need for stronger, phishing-resistant MFA methods, especially as Microsoft 365 continues to be a major target for cybercriminals looking to infiltrate businesses.

Case Study 2: The Attack on Cisco Systems

In August 2022, Cisco Systems experienced a significant attack in which hackers used voice phishing (vishing) to bypass multifactor authentication. The attackers impersonated trusted helpdesk personnel, tricking a Cisco employee into providing their credentials and MFA verification codes. By doing this, the attackers were able to gain access to Cisco’s internal network.

Once inside, the attackers exfiltrated a large amount of data and escalated their privileges across various systems. This incident highlights the vulnerability of traditional MFA mechanisms, such as phone-based verification, in the face of social engineering. It was a stark reminder that without phishing-resistant MFA, even sophisticated companies like Cisco are at risk.

Case Study 3: The Twilio and Cloudflare Incident

In 2022, both Twilio and Cloudflare experienced significant attacks where threat actors used phishing to bypass SMS-based multifactor authentication. The attackers sent convincing phishing messages to employees, requesting login credentials and the one-time passcodes (OTPs) sent via SMS. Both companies had robust security protocols in place, but SMS-based MFA was not enough to stop the attackers.

This case illustrated a major flaw in relying on SMS as a second authentication factor. SIM swapping, where attackers hijack a victim’s phone number by tricking mobile carriers, has also proven that SMS MFA is highly vulnerable to social engineering attacks. As a result, experts recommend moving away from MFA methods that rely on phone-based OTPs.

The Call for Strong MFA

As threats continue to evolve, so too must our security measures. The U.S. federal government has already mandated that all agencies adopt phishing-resistant MFA, which serves as a powerful signal that traditional MFA methods—such as SMS codes and push notifications—are no longer sufficient. The Executive Order on Improving the Nation’s Cybersecurity, issued in 2021, highlighted the need for stronger authentication methods across federal agencies, a standard that private sector organizations should follow as well.

In addition to government action, industry leaders like Microsoft have long recommended against using phone-based MFA. In their blog post, “It’s Time to Hang Up on Phone Transports for Authentication,” Microsoft explained that SMS and voice calls are too vulnerable to interception and social engineering. As a result, the focus is now on stronger MFA methods, such as passkeys, biometrics, and hardware tokens.

What is Strong MFA?

So, what exactly do we mean by “strong multifactor authentication”? Strong MFA is any authentication method that resists phishing attacks and cannot easily be bypassed or tricked. The most common types include:

• Passkeys: Passkeys eliminate the need for traditional passwords and are resistant to phishing. They use cryptographic protocols to authenticate users without ever transmitting sensitive data like passwords over the network.
• Biometrics: Biometrics, such as fingerprint or facial recognition, offer a unique form of identity verification. Since biometrics are based on something you “are”, they are much harder to steal or replicate than something you “know”, like a password.
• Hardware Tokens: Devices like YubiKeys provide an extra layer of protection. These physical tokens must be present to complete the authentication process, making them a strong deterrent to attackers who can’t replicate them remotely.

The work of the FIDO Alliance is key to making these technologies widely available. FIDO2, for example, is an open standard that enables passwordless authentication through the use of strong cryptographic credentials, supported by a growing list of websites and services.

Implementing Strong MFA: Best Practices

To effectively deploy strong MFA, organizations should adopt the following best practices:

1. Adopt Phishing-Resistant Authentication Methods. Organizations should prioritize the adoption of hardware tokens and passkeys for their employees and high-risk users. These methods are designed to resist phishing attacks and can prevent the types of breaches that we’ve seen occur with SMS and OTP-based MFA.
2. Leverage Biometrics. Many devices, such as smartphones and laptops, now include biometric authentication as a default option. Deploying biometrics like facial recognition or fingerprints can further enhance security, especially when paired with a secondary strong factor like a hardware token.
3. Educate and Train Staff. MFA is only as effective as the people using it. Employees need to be trained on how MFA works, why it’s important, and how they can avoid being manipulated into bypassing it. Social engineering attacks, such as MFA fatigue, rely on human error—so staff education is critical to reducing risk.

At LMG Security, we offer phishing simulations and employee awareness training to help your team stay vigilant and avoid falling victim to phishing attacks that attempt to bypass MFA. Our 10-Step Checklist for an Effective Phishing Testing Program is a great resource to help organizations fine-tune their phishing awareness efforts. Additionally, we provide comprehensive security awareness training services to ensure your team is prepared to recognize and avoid the latest phishing tactics.

4. Follow Current Best Practices and Industry Standards. Follow guidelines from organizations like NIST, which has published extensive resources on implementing MFA in secure and compliant ways. NIST’s SP 800-63B Digital Identity Guidelines provide a framework for deploying secure authentication in various contexts.

Strong multifactor authentication isn’t just a recommendation for 2024—it’s a necessity. As cybercriminals continue to exploit weaknesses in older MFA methods, organizations must step up their defenses and invest in stronger, phishing-resistant solutions like passkeys, biometrics, and hardware tokens. By doing so, you can significantly reduce the risk of unauthorized access and stay ahead of the ever-evolving cybersecurity landscape. The time to upgrade is now—don’t wait until you’re the next headline.

Cybersecurity best practices change quickly. Please contact us if you need additional support with technical testing, advisory or compliance guidance, policy development, or training. Our team is ready to help!