Check Point Email Security | Blog

#BeCyberSmart: Why MFA Doesn't Solve Everything

Written by Jeremy Fuchs | October 1, 2021

October is National Cybersecurity Awareness Month. Each week has a theme. This week's theme? How to remain #CyberSmart. This blog goes into the promise—and perils—of multi-factor authentication:

According to official Microsoft guidance, multi-factor authentication can solve everything. Seriously. Microsoft notes that MFA can block "over 99.9% of account compromise attacks." Read on:

Everyone should have multi-factor authentication. It is the bare minimum of security. Without MFA, the rest of your security is irrelevant — especially in Microsoft 365 and Google Workspace.

However, MFA is not a panacea. Sure, it can block off an avenue for hackers to infiltrate. But it doesn't block off every avenue. MFA is another form of perimeter security, but the cloud has no perimeter. People often think that because they have MFA, they’re immune to phishing attacks. To be clear, MFA is not designed to stop attacks not related to logins. It only secures online accounts at the perimeter, when the user logs in to gain access.

MFA specifically cannot stop BEC attacks, spoofed login pages, CEO impersonation or embedded malware. 

Implementing MFA is great, and an essential step for all companies. Relying solely on it? Not so much. MFA does not solve the phishing problem. Attacks can automate the login to happen at the same time as capturing their own login. Instead of authenticating a login, users are essentially approving the attacker's attempts to infiltrate the system. Cloud Access Trojan attacks require just one login and create a permanent backdoor.

MFA helps. But it's not perfect. It's why we've implemented a new MFA anomalies engine, which detects login operations that failed the MFA stage.

Multi-Factor Authentication (MFA) security raises the barrier to account access by requiring another proof of identity (usually in the form of an alphanumeric code), but it does not stop phishing. Specifically, MFA does nothing to stop Business Email Compromise (BEC), Account Takeover, and social engineering emails impersonating executives to extract financial gain.

To do that, you need multi-layered security, the kind that Avanan provides.