Multi-factor authentication (MFA) is a good way to protect online accounts, but that doesn’t mean users should let their guard down, warns a security expert.

MFA is generally stronger than simple password protection because users must provide two or more different sources to prove their identities.

“But if someone tells you it’s unhackable, you shouldn’t rely on them,” said Roger Grimes, a Data-Driven Defense Evangelist at KnowBe4 at a recent ITWC webinar.  “Most people are startled when they see how easy it is.”

Grimes said organizations should train their users to beware of potential scams, even if they’re using MFA.

How hackers get around MFA

Social engineering is responsible for 70 to 90 per cent of all data breaches and it is no different with MFA, said Grimes. One of the most common attacks is called “network session hijacking.”  In this case, hackers use phishing emails to trick users into signing on to a fake website, then steal the users’ credentials and session token to take over their accounts.

Similarly, another popular hack is to use phishing emails to gain access and unleash a virus on endpoints. “If the computer gets compromised, it’s game over,” said Grimes. “They could do anything you can do.”  Last year, one group of hackers stole $100 million this way, he added.

MFA methods that send authentication codes to cell phones via SMS are also vulnerable. For example, in the “SIM swap” scam, hackers get your logon information through a phishing email or call and then steal your SIM card information. This allows them to receive your SMS verification codes and reset your account password. “This happens thousands of times a day,” said Grimes.

Account recovery questions, such as those that ask for your mother’s maiden name, are one of the worst forms of authentication. “These should be outlawed because most of the answers can be looked up,” said Grimes. “They can be guessed 20 per cent of the time or found on social profiles.”

Biometrics used for authentication are also a common target for hackers. “Your fingerprints are everywhere, and once stolen, it’s compromised for life,” Grimes said.

How to defend against MFA attacks

The first line of defence is to include MFA hacking awareness in security training for employees. Employees should learn about how to spot rogue links and to check if a URL is legitimate.

Although it can be difficult, users should try to avoid SMS-based applications. If they do use them, they should minimize any public posts of the phone number they use for account recovery. People should never trust someone who is calling unexpectedly or sending an SMS verification. They should also be suspicious if they’re asked to type an SMS pin code back into SMS, said Grimes. Usually, the code is entered on a web site.

As for recovery questions, “don’t answer them honestly,” said Grimes. People should deliberately use wrong answers and write them down or store them in password managers

The bottom line is that people have to realize that “nothing is unhackable,” Grimes said.  “You can’t throw away your brain just because you’re using multi-factor authentication.”