No? Well, if as a business you’re still using 1st generation multi-factor authentication (MFA) solutions assuming it will prevent account takeover, then you’re taking a similar leap of faith with an ill-advised level of confidence. But don’t worry you are not alone.

Most businesses are doing exactly that. And the worst part is that they know they are – we have the data to prove it (more on that later). Hopefully, this article will demonstrate why organisations need to make a change before it's too late.

Why do breaches occur?

Let’s zoom out. Broadly speaking, there are only three ways in which a business can be hacked:

1. Through a backdoor.
2. Exploiting vulnerable or unpatched software or systems
3. Stolen credentials.

Whichever method is deployed, the goal of the attacker is account takeover. Once inside, posing as a user, the criminal can get up to all sorts of mischief.

However, the cyber security industry is not solving these problems at the moment, and the most common cyber security solutions that organisations invest in – MFA – does very little to stop criminals or prevent account takeover.

The problems with MFA

So far, cyber security’s best answer to the problem of account takeover is to add more factors of authentication, such as OTPs, push notifications or QR codes.

Trust me, I’m as sick of using these as you are, and the ridiculous thing is that they don’t even help. If anything, they make things even worse.

Let’s say, for a moment, that I’m a criminal. If I can intercept your ‘2nd factor’ or ‘credentials’ and steal it, then bang! I’m into your systems. That is because most people, including IT professionals, believe that an attacker cannot or is unlikely to intercept your ‘2nd factor’ or ‘credentials’ (e.g., the smartphone receiving an OTP or push notification or scanning a QR-code with your smartphone).

These types of attacks are called credential phishing and adversary in the middle (AiTM) attacks, and when used against 1st generation MFA, they are always successful. Wave goodbye to your business’s reputation for security. Say adios to the £3.4 million that organisations lose on average when they get hacked; so long to your team’s productivity while you try and limit the impact of the attack; sayonara to your good reputation and trust among customers.

To put it simply, the real problem is when two or more devices are used that are not connected to each other, credentials (and even authentication tokens) can be intercepted, hacked, or stolen. Like with many things, quantity does not trump quality.

Furthermore, in this first-gen version of MFA authentication, credentials are stored in a central database – this creates a single point of failure. I might not have intercepted your OTP (one-time passcode), but what if I just hack the central database? I’ll be able to access every credential and shared secret (which is used to create the OTP), and there’s practically nothing that you can do about it.

Skydiving without a parachute

The scary, unbelievable thing is that businesses – or the cyber security experts within them – may be aware of everything I’ve just explained. However, there appears to be a lack of proactive measures or a potential need for education to address these concerns.

How do I know? Well, I know it from years of experience in this industry. But we can prove it with our own research – IDEE recently surveyed more than 500 cyber security professionals in UK businesses.

This is what we found:

• 95% of respondents said their business uses MFA.
• But 50% only described their MFA solution as ‘somewhat effective’.
• Even fewer (40%) said they invested in MFA because they thought it was the most secure solution going.
• And the most shocking stat: of those businesses using MFA, 56% experienced a cyber breach in 2023, with 26% experiencing three or more.

See, businesses are using MFA even though their cyber security decision-makers are unconvinced, and breaches are still happening with alarming frequency. The phrase “no one ever got sacked for buying IBM” springs to mind. There is safety in sticking to the accepted norm, but…..

Sorry to say, it gets worse as we dig down into the technicalities of their MFA solutions. If we know that there are only three ways in which a business can be breached, then the fact that just 35% of respondents to IDEE’s survey said their MFA can mitigate weak passwords and even fewer (34%) say it can prevent credential phishing attacks, then sirens should be going off.

In my view, these figures could indicate that many cyber security professionals view cyber attacks as an unavoidable reality. Frankly, it’s jaw-dropping to see how many businesses are aware of the weaknesses that exist in their cyber security infrastructure and yet are not acting to rectify the situation. Or maybe they don’t know that there are solutions available that can help?

Only a system built on transitive trust will work

Clearly, something needs to change if businesses are to protect their systems and data against the ever-more sophisticated forms of attack that are out there.

A key issue that continues to hold businesses back from being pre-emptive is that they give too much weight to identifying cyber-attacks. So, 2024 must be the year that they set aside resources to find and implement systems that prevent them in the first place.

This means investing in solutions that are built on transitive trust, which only allow access to a trusted service (i.e. a domain that has been integrated with the system) on a trusted device (which has also been registered and is verified by its TPM chip) and by a trusted user who is in control of their device (which they prove by unlocking their device with biometrics or a PIN).

You might be thinking that this all sounds like MFA, but there is a huge difference: there is nothing to intercept or steal in this scenario.

No passwords. No additional codes. No extra notifications. Only a trusted user on a trusted device can access a trusted service. Even if a user’s PIN were discovered, a hacker would also physically require that users’ specific (trusted) device. It is fully phish-proof.

What’s more, these solutions are decentralised, so credentials are stored locally on the device inside the TPM and not centrally in a database. There is no database or central storage of credentials, so there is nothing to steal, making credential-based attacks and account takeover impossible.

This means that the only way in which criminals could access your system would be if they came round to your house and threatened you at gun-point to gain access with your trusted device and PIN. At that point, I’m afraid it becomes more of a police issue than a cyber security one.

To end on a cheerier note, change is eminently possible. To defend against evolving threats, 2024 must mark a turning point. It's time for businesses – and the wider cyber security industry – to rethink their security strategies and embrace a future built on identity proofing and transitive trust.