Dan Goodin at Ars Tecnica, on multifactor authentication (2FA/MFA):
Multifactor authentication (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential.
That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.
More here. The article is solid. It first introduces the various forms of MFA, then explains the attack vectors used to bypass them (hint: they prey on distracted, busy, or otherwise unaware people - we’ve all been there.) I appreciate their stressing that MFA is essential while raising awareness of the potential pitfalls.
Subscribe to the newsletter, the RSS feed, or follow @nicolaiarocci on Twitter