theNet by CLOUDFLARE

Security Transformation

Episode 2: Bypassing MFA

Key excerpts:

What is MFA?

Michael Keane: [00:00:39]

...authentication is typically about verifying that someone is who they say they are. You've probably heard of two factor authentication where you try to use two different forms of assurance, and multifactor broadens that slightly to two or more factors of authentication…it's ideal to use something like a password plus a security key or a password plus a fingerprint. You don't want to use a password plus a security question, because those are two things that hackers can easily research…

Michael Keane: [00:02:48]

…with the prevalence of phishing these days, stealing passwords is easier than ever… as security grows, the attackers are getting more creative, too…

Michael Keane: [00:04:21]

…using more phishing resistant forms of MFA, like FIDO2 compliant security keys prevent man-in-the-middle attacks...


Types of MFA

Michael Keane: [00:07:12]

SIM swapping is a common one, unfortunately, given the prevalence of text message codes. Then we get into more of the modern stuff with fingerprint, Face ID and other biometrics. That stuff is harder to fake, that's definitely a stronger approach. It's been pretty universally agreed that anything that's compliant with the FIDO2 standard like our security keys is one of the most phishing-resistant and strongest forms of authentication…

Ashley Valera: [00:08:34]

…even if you have a phishing-resistant MFA in place like hard keys, that's still not enough to prevent these attacks completely. Just as attackers are using multiple strategies to get past MFA, organizations also need a similarly multi-pronged security strategy to defend against them.


Getting started with Zero Trust

Michael Keane: [00:09:10]

Zero Trust is this guiding set of principles, this very high level framework to never trust, always verify or to have no implicit trust… MFA is most related to access, which then relates to Zero Trust network access. This provides that individual access to all types of corporate resources, whether SaaS, on prem, or non-web resources like SSH terminals for your developers. MFA relates most to that access component where we can implement it as part of our ZTNA strategy. This is where a lot of organizations might start in their larger Zero Trust journey – locking down access first.

Michael Keane: [00:10:46]

If your business has a 20 year old application in a data center that is probably not going to organically support these newer standards of ZTNA. ZTNA sits in the middle as an aggregation layer that helps us implement any type of MFA. This unified approach to a broader security strategy helps all the different pieces play together a lot more nicely and protect from multiple angles.

Watch the full episode

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.


Key takeaways

How implementing a Zero Trust security strategy helps prevent MFA exploitation

  • What is MFA? [00:00:39]

  • Types of MFA [00:07:12]

  • Getting started with Zero Trust [00:09:10]




Receive a monthly recap of the most popular Internet insights!