Thought Leadership

Cybersecurity Mythbusters: Does MFA Stop 99% of Attacks?

Written By
Published On
Dec 15, 2022

Transcription

Patrick

Welcome to Cybersecurity MythBusters. I'm Patrick McBride, the CMO of Beyond Identity and I'm with our local cybersecurity expert, Dr. Jasson Casey, who is also our CTO.

Jasson

Hello. And today's question comes to us from our very own Dylan.

Patrick

"Hey Bosses! Thanks for the series! Watching along really has helped me learn a lot and makes work day go by so fast. So I heard, Microsoft said that MFA blocks 99% of cyber attacks. Is that true? Sincerely, Dylan." Dylan, that flattery's not gonna get you anywhere and I still need those reports by the end of the day. But to your question that's a pretty bold claim Microsoft made. I'm not exactly sure how to answer that one.

Jasson

I think I know who we should call. Roger Grimes.

Patrick

He would be excellent. Let me go get him.

Jasson

So we all understand username and password-based authentication and we've been taught about its weaknesses and how we have to strengthen that with multi-factor authentication, adding things like Possession, TOTP, or SMS codes. But in the last nine months, it's hard to be alive and not have read headlines about companies being breached and their MFA systems being bypassed. What's actually going on in these scenarios? Roger's gonna help us get to the bottom of this.

Patrick

Oh, hey Roger.

Roger

Hi, Patrick.

Patrick

Roger literally wrote the book, "Hacking MFA".

Jasson

Does MFA actually block 99% of attacks?

Roger

The short answer is: no. I think that statistic came because Microsoft and Google said that a certain type of MFA blocked 99% of phishing attacks that were asking for passwords. And that makes sense. If you don't have, if you're using MFA and you don't have a password, then it's a lot you know that MFA is, is gonna work but it certainly doesn't stop 99% of all attacks. It doesn't even stop 99% of phishing attacks.

So what happened is that a few companies said, "Oh, it stops 99% of a specific type of phishing attack." And somehow people started saying, "oh, it's 99% of all log on attacks," which it isn't. Or 99% of phishing attacks, which it isn't. And then you have a whole bunch of people thinking that it's 99% of attacks. And let me say that I understand the confusion because in those vendor slides they'll say, "oh it stops 99% of, you know, password phishing attacks."

But then the slide itself will say "stops 99% of all attacks." You know, so I, you know, when I complain to the vendors like, "oh, it's taken outta context," I'm like literally the sentence says, "stops 99% of all attacks." It doesn't, it never will. There's lots of stuff that MFA can't stop.

And then at increasingly, as attackers are focusing on MFA it's stopping even less attacks. One of the most common ways that a phishing attack can get around MFA is to simply send an email to a potential victim saying, "Hey, I need you to log in." You know, and the victim thinks that it's the real an email from the real brand but really it contains a rogue phishing link. And when the victim clicks on that link instead of it taking them to the website they thought it was taking them to it takes them to what's called a rogue man-in-the middle transparent proxy website.

Then it takes them to the real website. So everything, the client, the potential victim, the client, is seeing looks like the real website. They just don't know that there is this man-in-the-middle website in between and everything they type in, So their username, their password, their MFA code it's all being captured by the attacker. And after they log on in no matter what their MFA solution might be or a lot of the solutions that it may be the the website will usually send back this access control token cookie, which the attacker can get. And once they have that, it's really the keys to the kingdom, the attacker can disconnect the victim from the connection and login as the victim.

Not all MFA is susceptible to man-in-the-middle attacks but probably 90 to 95%, most of them are.

Patrick

So Roger, if MFA keeps getting bypassed, what should we do?

Roger

Well, you know, not all MFA is equal. Some of it's more resilient than others. I think number one, you need to pick a MFA solution that is phishing-resistant, and what happens there is if you get one of those man-in-the-middle phishing attacks the MFA solution just doesn't work. You know, it does, or it actually removes the man-in-the-middle attacker out of it. If you're using something like an MFA solution that's FIDO-enabled it may start out with a man-in-the-middle attacker, but then the way that FIDO works it literally pulls the man-in-the-middle website out of it so that all of a sudden the client's talking directly to the server and the server to the client. So not all MFA is equal. There's some that's better than others and that's what you should be using. Thanks so much, Patrick and Jasson. It's been fun.

Patrick

Thank you, Roger, see you later.

Jasson

So what we learned is most MFA and deployment is woefully inadequate to actually handle the current threat that we're all under today. And the best advice is to actually follow the government's guidance in establishing phishing-resistant MFA for our workforce and our customers.

Patrick

Thanks for the question, Dylan. Hope you got all of that. And thank you for joining Cybersecurity MythBusters. If you've got a question or a myth that you'd like us to bust, please send it in. We'd love to tackle it. Until next time, have a great day.

Jasson

Boom.

Patrick

That was pretty cool.

Get started with Device360 today

Cybersecurity Mythbusters: Does MFA Stop 99% of Attacks?

Download

Transcription

Patrick

Welcome to Cybersecurity MythBusters. I'm Patrick McBride, the CMO of Beyond Identity and I'm with our local cybersecurity expert, Dr. Jasson Casey, who is also our CTO.

Jasson

Hello. And today's question comes to us from our very own Dylan.

Patrick

"Hey Bosses! Thanks for the series! Watching along really has helped me learn a lot and makes work day go by so fast. So I heard, Microsoft said that MFA blocks 99% of cyber attacks. Is that true? Sincerely, Dylan." Dylan, that flattery's not gonna get you anywhere and I still need those reports by the end of the day. But to your question that's a pretty bold claim Microsoft made. I'm not exactly sure how to answer that one.

Jasson

I think I know who we should call. Roger Grimes.

Patrick

He would be excellent. Let me go get him.

Jasson

So we all understand username and password-based authentication and we've been taught about its weaknesses and how we have to strengthen that with multi-factor authentication, adding things like Possession, TOTP, or SMS codes. But in the last nine months, it's hard to be alive and not have read headlines about companies being breached and their MFA systems being bypassed. What's actually going on in these scenarios? Roger's gonna help us get to the bottom of this.

Patrick

Oh, hey Roger.

Roger

Hi, Patrick.

Patrick

Roger literally wrote the book, "Hacking MFA".

Jasson

Does MFA actually block 99% of attacks?

Roger

The short answer is: no. I think that statistic came because Microsoft and Google said that a certain type of MFA blocked 99% of phishing attacks that were asking for passwords. And that makes sense. If you don't have, if you're using MFA and you don't have a password, then it's a lot you know that MFA is, is gonna work but it certainly doesn't stop 99% of all attacks. It doesn't even stop 99% of phishing attacks.

So what happened is that a few companies said, "Oh, it stops 99% of a specific type of phishing attack." And somehow people started saying, "oh, it's 99% of all log on attacks," which it isn't. Or 99% of phishing attacks, which it isn't. And then you have a whole bunch of people thinking that it's 99% of attacks. And let me say that I understand the confusion because in those vendor slides they'll say, "oh it stops 99% of, you know, password phishing attacks."

But then the slide itself will say "stops 99% of all attacks." You know, so I, you know, when I complain to the vendors like, "oh, it's taken outta context," I'm like literally the sentence says, "stops 99% of all attacks." It doesn't, it never will. There's lots of stuff that MFA can't stop.

And then at increasingly, as attackers are focusing on MFA it's stopping even less attacks. One of the most common ways that a phishing attack can get around MFA is to simply send an email to a potential victim saying, "Hey, I need you to log in." You know, and the victim thinks that it's the real an email from the real brand but really it contains a rogue phishing link. And when the victim clicks on that link instead of it taking them to the website they thought it was taking them to it takes them to what's called a rogue man-in-the middle transparent proxy website.

Then it takes them to the real website. So everything, the client, the potential victim, the client, is seeing looks like the real website. They just don't know that there is this man-in-the-middle website in between and everything they type in, So their username, their password, their MFA code it's all being captured by the attacker. And after they log on in no matter what their MFA solution might be or a lot of the solutions that it may be the the website will usually send back this access control token cookie, which the attacker can get. And once they have that, it's really the keys to the kingdom, the attacker can disconnect the victim from the connection and login as the victim.

Not all MFA is susceptible to man-in-the-middle attacks but probably 90 to 95%, most of them are.

Patrick

So Roger, if MFA keeps getting bypassed, what should we do?

Roger

Well, you know, not all MFA is equal. Some of it's more resilient than others. I think number one, you need to pick a MFA solution that is phishing-resistant, and what happens there is if you get one of those man-in-the-middle phishing attacks the MFA solution just doesn't work. You know, it does, or it actually removes the man-in-the-middle attacker out of it. If you're using something like an MFA solution that's FIDO-enabled it may start out with a man-in-the-middle attacker, but then the way that FIDO works it literally pulls the man-in-the-middle website out of it so that all of a sudden the client's talking directly to the server and the server to the client. So not all MFA is equal. There's some that's better than others and that's what you should be using. Thanks so much, Patrick and Jasson. It's been fun.

Patrick

Thank you, Roger, see you later.

Jasson

So what we learned is most MFA and deployment is woefully inadequate to actually handle the current threat that we're all under today. And the best advice is to actually follow the government's guidance in establishing phishing-resistant MFA for our workforce and our customers.

Patrick

Thanks for the question, Dylan. Hope you got all of that. And thank you for joining Cybersecurity MythBusters. If you've got a question or a myth that you'd like us to bust, please send it in. We'd love to tackle it. Until next time, have a great day.

Jasson

Boom.

Patrick

That was pretty cool.

Cybersecurity Mythbusters: Does MFA Stop 99% of Attacks?

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Transcription

Patrick

Welcome to Cybersecurity MythBusters. I'm Patrick McBride, the CMO of Beyond Identity and I'm with our local cybersecurity expert, Dr. Jasson Casey, who is also our CTO.

Jasson

Hello. And today's question comes to us from our very own Dylan.

Patrick

"Hey Bosses! Thanks for the series! Watching along really has helped me learn a lot and makes work day go by so fast. So I heard, Microsoft said that MFA blocks 99% of cyber attacks. Is that true? Sincerely, Dylan." Dylan, that flattery's not gonna get you anywhere and I still need those reports by the end of the day. But to your question that's a pretty bold claim Microsoft made. I'm not exactly sure how to answer that one.

Jasson

I think I know who we should call. Roger Grimes.

Patrick

He would be excellent. Let me go get him.

Jasson

So we all understand username and password-based authentication and we've been taught about its weaknesses and how we have to strengthen that with multi-factor authentication, adding things like Possession, TOTP, or SMS codes. But in the last nine months, it's hard to be alive and not have read headlines about companies being breached and their MFA systems being bypassed. What's actually going on in these scenarios? Roger's gonna help us get to the bottom of this.

Patrick

Oh, hey Roger.

Roger

Hi, Patrick.

Patrick

Roger literally wrote the book, "Hacking MFA".

Jasson

Does MFA actually block 99% of attacks?

Roger

The short answer is: no. I think that statistic came because Microsoft and Google said that a certain type of MFA blocked 99% of phishing attacks that were asking for passwords. And that makes sense. If you don't have, if you're using MFA and you don't have a password, then it's a lot you know that MFA is, is gonna work but it certainly doesn't stop 99% of all attacks. It doesn't even stop 99% of phishing attacks.

So what happened is that a few companies said, "Oh, it stops 99% of a specific type of phishing attack." And somehow people started saying, "oh, it's 99% of all log on attacks," which it isn't. Or 99% of phishing attacks, which it isn't. And then you have a whole bunch of people thinking that it's 99% of attacks. And let me say that I understand the confusion because in those vendor slides they'll say, "oh it stops 99% of, you know, password phishing attacks."

But then the slide itself will say "stops 99% of all attacks." You know, so I, you know, when I complain to the vendors like, "oh, it's taken outta context," I'm like literally the sentence says, "stops 99% of all attacks." It doesn't, it never will. There's lots of stuff that MFA can't stop.

And then at increasingly, as attackers are focusing on MFA it's stopping even less attacks. One of the most common ways that a phishing attack can get around MFA is to simply send an email to a potential victim saying, "Hey, I need you to log in." You know, and the victim thinks that it's the real an email from the real brand but really it contains a rogue phishing link. And when the victim clicks on that link instead of it taking them to the website they thought it was taking them to it takes them to what's called a rogue man-in-the middle transparent proxy website.

Then it takes them to the real website. So everything, the client, the potential victim, the client, is seeing looks like the real website. They just don't know that there is this man-in-the-middle website in between and everything they type in, So their username, their password, their MFA code it's all being captured by the attacker. And after they log on in no matter what their MFA solution might be or a lot of the solutions that it may be the the website will usually send back this access control token cookie, which the attacker can get. And once they have that, it's really the keys to the kingdom, the attacker can disconnect the victim from the connection and login as the victim.

Not all MFA is susceptible to man-in-the-middle attacks but probably 90 to 95%, most of them are.

Patrick

So Roger, if MFA keeps getting bypassed, what should we do?

Roger

Well, you know, not all MFA is equal. Some of it's more resilient than others. I think number one, you need to pick a MFA solution that is phishing-resistant, and what happens there is if you get one of those man-in-the-middle phishing attacks the MFA solution just doesn't work. You know, it does, or it actually removes the man-in-the-middle attacker out of it. If you're using something like an MFA solution that's FIDO-enabled it may start out with a man-in-the-middle attacker, but then the way that FIDO works it literally pulls the man-in-the-middle website out of it so that all of a sudden the client's talking directly to the server and the server to the client. So not all MFA is equal. There's some that's better than others and that's what you should be using. Thanks so much, Patrick and Jasson. It's been fun.

Patrick

Thank you, Roger, see you later.

Jasson

So what we learned is most MFA and deployment is woefully inadequate to actually handle the current threat that we're all under today. And the best advice is to actually follow the government's guidance in establishing phishing-resistant MFA for our workforce and our customers.

Patrick

Thanks for the question, Dylan. Hope you got all of that. And thank you for joining Cybersecurity MythBusters. If you've got a question or a myth that you'd like us to bust, please send it in. We'd love to tackle it. Until next time, have a great day.

Jasson

Boom.

Patrick

That was pretty cool.

Cybersecurity Mythbusters: Does MFA Stop 99% of Attacks?

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Transcription

Patrick

Welcome to Cybersecurity MythBusters. I'm Patrick McBride, the CMO of Beyond Identity and I'm with our local cybersecurity expert, Dr. Jasson Casey, who is also our CTO.

Jasson

Hello. And today's question comes to us from our very own Dylan.

Patrick

"Hey Bosses! Thanks for the series! Watching along really has helped me learn a lot and makes work day go by so fast. So I heard, Microsoft said that MFA blocks 99% of cyber attacks. Is that true? Sincerely, Dylan." Dylan, that flattery's not gonna get you anywhere and I still need those reports by the end of the day. But to your question that's a pretty bold claim Microsoft made. I'm not exactly sure how to answer that one.

Jasson

I think I know who we should call. Roger Grimes.

Patrick

He would be excellent. Let me go get him.

Jasson

So we all understand username and password-based authentication and we've been taught about its weaknesses and how we have to strengthen that with multi-factor authentication, adding things like Possession, TOTP, or SMS codes. But in the last nine months, it's hard to be alive and not have read headlines about companies being breached and their MFA systems being bypassed. What's actually going on in these scenarios? Roger's gonna help us get to the bottom of this.

Patrick

Oh, hey Roger.

Roger

Hi, Patrick.

Patrick

Roger literally wrote the book, "Hacking MFA".

Jasson

Does MFA actually block 99% of attacks?

Roger

The short answer is: no. I think that statistic came because Microsoft and Google said that a certain type of MFA blocked 99% of phishing attacks that were asking for passwords. And that makes sense. If you don't have, if you're using MFA and you don't have a password, then it's a lot you know that MFA is, is gonna work but it certainly doesn't stop 99% of all attacks. It doesn't even stop 99% of phishing attacks.

So what happened is that a few companies said, "Oh, it stops 99% of a specific type of phishing attack." And somehow people started saying, "oh, it's 99% of all log on attacks," which it isn't. Or 99% of phishing attacks, which it isn't. And then you have a whole bunch of people thinking that it's 99% of attacks. And let me say that I understand the confusion because in those vendor slides they'll say, "oh it stops 99% of, you know, password phishing attacks."

But then the slide itself will say "stops 99% of all attacks." You know, so I, you know, when I complain to the vendors like, "oh, it's taken outta context," I'm like literally the sentence says, "stops 99% of all attacks." It doesn't, it never will. There's lots of stuff that MFA can't stop.

And then at increasingly, as attackers are focusing on MFA it's stopping even less attacks. One of the most common ways that a phishing attack can get around MFA is to simply send an email to a potential victim saying, "Hey, I need you to log in." You know, and the victim thinks that it's the real an email from the real brand but really it contains a rogue phishing link. And when the victim clicks on that link instead of it taking them to the website they thought it was taking them to it takes them to what's called a rogue man-in-the middle transparent proxy website.

Then it takes them to the real website. So everything, the client, the potential victim, the client, is seeing looks like the real website. They just don't know that there is this man-in-the-middle website in between and everything they type in, So their username, their password, their MFA code it's all being captured by the attacker. And after they log on in no matter what their MFA solution might be or a lot of the solutions that it may be the the website will usually send back this access control token cookie, which the attacker can get. And once they have that, it's really the keys to the kingdom, the attacker can disconnect the victim from the connection and login as the victim.

Not all MFA is susceptible to man-in-the-middle attacks but probably 90 to 95%, most of them are.

Patrick

So Roger, if MFA keeps getting bypassed, what should we do?

Roger

Well, you know, not all MFA is equal. Some of it's more resilient than others. I think number one, you need to pick a MFA solution that is phishing-resistant, and what happens there is if you get one of those man-in-the-middle phishing attacks the MFA solution just doesn't work. You know, it does, or it actually removes the man-in-the-middle attacker out of it. If you're using something like an MFA solution that's FIDO-enabled it may start out with a man-in-the-middle attacker, but then the way that FIDO works it literally pulls the man-in-the-middle website out of it so that all of a sudden the client's talking directly to the server and the server to the client. So not all MFA is equal. There's some that's better than others and that's what you should be using. Thanks so much, Patrick and Jasson. It's been fun.

Patrick

Thank you, Roger, see you later.

Jasson

So what we learned is most MFA and deployment is woefully inadequate to actually handle the current threat that we're all under today. And the best advice is to actually follow the government's guidance in establishing phishing-resistant MFA for our workforce and our customers.

Patrick

Thanks for the question, Dylan. Hope you got all of that. And thank you for joining Cybersecurity MythBusters. If you've got a question or a myth that you'd like us to bust, please send it in. We'd love to tackle it. Until next time, have a great day.

Jasson

Boom.

Patrick

That was pretty cool.

Book

Cybersecurity Mythbusters: Does MFA Stop 99% of Attacks?

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Download the book

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.