And FIDO is supported on dozens of online services. They’ve been able to bake FIDO protocols into the operating systems, browsers, phones, and tablets that you already own. Luckily a group of companies formed the FIDO Alliance to create a phishing-resistant form of MFA. That’s still true, but we’ve also known that at some point “traditional MFA” would become “legacy MFA” and need to be reassessed or even replaced. We’ve known for years that any form of MFA is better than no MFA. When dedicated, human adversaries spend enough time and effort trying to trick us, someone in your organization will eventually fall for the ruse. Credential phishing is a sad fact of life.
Unfortunately, we expect to see more and more such compromises. In fact, there are widely available “MFA bypass toolkits” that reduce the cost of attack. These compromises surprised some observers, but really, it was only a matter of time. Recent attacksĮven with MFA enabled, however, there have been several high-profile compromises over the past couple of years where attackers were able to bypass traditional forms of MFA, such as SMS texts, authenticator apps, or push notifications. More significant is their report that only about 1/3 of the system administrators of those organizations use MFA. And while we celebrate and encourage industry leadership in MFA adoption, we can still do more.įor example, one top vendor reports that only about a quarter of their enterprise customers have enrolled in MFA. This is a big win, and others should follow suit. For example, there are a growing number of online services that are now mandating MFA for their enterprise customers. While much of our focus this October has been on individuals, when it comes to MFA, technology providers should really be out front here, leading by example, and it’s been great to see some of the industry trendsetters leaning forward on MFA adoption. We’re all in this together – in fact, last year President Biden directed all federal agencies to focus on adopting MFA and we’re hard at work driving improvements across the government toward this goal. As I’ve been traveling the country this Cybersecurity Awareness Month, encouraging Americans to take action to stay safe online, this is my biggest ask: Enable MFA on your email account, your bank account, your social media accounts, and really anything with data that you care about protecting. Many of us know that enabling multi-factor authentication is the single most important thing Americans can do to stay safe online. If you follow Twitter, you know how passionately we’ve been advocating for everyone to use MORE THAN A PASSWORD!
0 kommentar(er)
