Multi-factor authentication (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential.
That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of the hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors have both successfully defeated the protection.
Enter MFA prompt bombing
The strongest forms of MFA are based on a framework called FIDO2 , which was developed by a consortium of companies balancing the needs associated with both security and simplicity regarding use. It gives end users the option of using fingerprint readers or even cameras built into the devices or dedicated security keys to confirm they are authorized in order to access an account. FIDO2 forms of MFA are relatively new , so many services for both consumers plus large organizations have yet to be able to adopt them.