bearded man typing with his nose almost on the keyboard

Multi-factor authentication has proven it works, so what are we waiting for?

Recently, Amazon announced that it will require all privileged Amazon Web Services (AWS) accounts to use multi-factor authentication (MFA), starting in mid-2024.

Our regular readers will know that we feel that passwords alone are not adequate protection, especially not for your important accounts. So we wholeheartedly agree with Amazon on this.

Multi-factor authentication is so much more secure, and with that a lot more forgiving, than passwords alone. I would not recommend it, but writing down your password on a Post-It and pasting it on your monitor won’t do an attacker any good if you have set up your MFA properly. Also not recommended, but you could even re-use your weak password on every site, as long as all those accounts were protected with the best that MFA has to offer.

The last piece of that sentence, “the best that MFA has to offer”, is important. As Amazon wrote in its announcement:

“We recommend that everyone adopts some form of MFA, and additionally encourage customers to consider choosing forms of MFA that are phishing-resistant, such as security keys.”

The takeaway here is that not every form of MFA is equally secure. When given the choice, the best form of MFA is a password and hardware key, but this means you’ll need to buy a hardware key. Please consider dong so, since they are worth the small investment and not nearly as intimidating as they may seem.

Security keys conforming to the FIDO U2F or FIDO2/WebAuthn standards are inherently resistant to reverse proxy and man-in-the-middle attacks that are reportedly on the rise right now.

If you aren’t ready to take that step yet, the next best form of MFA uses an app that prompts you with a notification on your phone. Next best after that is MFA that uses a code from an app on your phone, and the least good version of MFA uses a code sent over SMS.

But even that least good version provides a good chunk of security.

In 2019, Microsoft’s Alex Weinert wrote that, based on Microsoft’s studies, your account is more than 99.9% less likely to be compromised if you use MFA. This year (2023), Microsoft’s Tom Burt blogged:

“While deploying MFA is one of the easiest and most effective defenses organizations can deploy against attacks, reducing the risk of compromise by 99.2%, threat actors are increasingly taking advantage of “MFA fatigue” to bombard users with MFA notifications in the hope they will finally accept and provide access.”

So, the numbers are slightly down, mainly because cybercriminals have started to adapt and are finding ways to bypass the weakest MFA methods.

An MFA fatigue attack, aka MFA bombing or MFA spamming, is a social engineering strategy where attackers repeatedly trigger second-factor authentication requests. The attacker bombards the user with requests to allow access and hopes the intended victim gets tired of the racket or makes a mistake and pushes the coveted “Yes, that’s me” button.

Still, a success rate of over 99% is no small feat. And this number will improve with better MFA.

What is holding us back is the number of sites and services offering us the possibility of using MFA. So please, if you are not doing this, stop asking users for more complex passwords that change every few weeks, but start implementing MFA for them. It will not only increase security but also provide a better user experience.

At some point users should and will, demand to be able to use MFA to protect their accounts from being abused or taken over by cybercriminals. So, providing them with this option means you are ready for the future.

To help you as a user get started, here are links to the 2FA setup instructions for the five most visited websites:


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.