So, Your MFA is Phishable, What To Do Next

So, Your MFA is Phishable, What To Do Next

So, Your MFA is Phishable, What To Do Next

Most MFA is Easily Phishable

Many people are shocked when we show them how easy it is to bypass or hack most MFA solutions. In the majority of cases, it’s as easy to do as phishing a password. Here’s a good example video demonstrating how easy it is to phish past most MFA solutions.

Use Phishing-Resistant MFA When You Can

So, our advice is to use PHISHING-RESISTANT MFA and not just ANY MFA, whenever possible. Actually, it’s not just our advice. The US government has been saying not to use easily phishable MFA at least since 2017. Presidential executive orders in 2021 and 2022 have again reinforced the idea that no one should be using easily phishable MFA.

Despite this, perhaps 90% to 95% of the MFA used by most people today is easily phishable. Well, the ultimate solution is to upgrade or move to phishing-resistant MFA when you can. KnowBe4’s Data-Driven Defense Evangelist, Roger A. Grimes, keeps an up-to-date list of every MFA solution and type he is aware of that his phishing-resistant. Use on of those phishing-resistant MFA solutions if you can.

But if you already have a phishable MFA solution, most of the time it is not easy to replace or change to a phishing resistant form. You have what you have. Or what you use is forced upon you by a vendor or service you want to do business with. Much of the time when you have phishable MFA you can’t easily upgrade or replace.

What to Do?

So, what’s a person or organization supposed to do if they have easily phishable MFA and can’t simply change it?


No matter what type of MFA solution you have or use, easily phishable or not, there are ways to hack and get around it. Nothing is unhackable, not even the strongest, most secure form of MFA. So, the solution is to educate yourself and all other stakeholders, especially end-users, about the following topics:

  • How to correctly use the MFA solution
  • Strengths and weaknesses of the MFA solution
  • The common possible attacks for that type of MFA and how to detect and prevent
  • What to do during rogue hacking attempts (i.e., defeat and report it)
  • What MFA does and doesn’t prevent

For example, if your MFA solution is susceptible to Man-in-the-Middle attacks like shown in the video above, make sure everyone using it that you manage is aware that they still have to pay attention to URL links sent to them to make sure they are legitimate. This may sound like commonsense, but you’d be surprised how many end-users think that their MFA solution explicitly protects them against rogue phishing links, and that belief can be dangerous.

Be sure to tell your end-users what to do if they detect an attempt to bypass or hack their MFA solution. You’d be surprised how many users ignore the attack, but don’t report it. That can be dangerous to the organization is it could be undergoing a concerted spear phishing attack and if no one is telling IT.

Another example, if your organization uses push-based MFA, make sure that all users are explicitly trained not to approve authentication prompts for logons that they themselves are not actively involved in. You would think you would not need to teach end-users this, but you would be wrong. Some studies have shown up to 30% of end-users using push-based MFA will approve a logon prompt even when they are not actively logging in.

Never assume your end-users understand MFA as well as you do and will always react appropriately in the face of a hacking attack. Education is the key to reducing risk, no matter whether you use MFA or not, whether you use easily-phishable or phishing-resistant MFA. When in doubt, educate.

Lastly, pressure your organization or vendor, if they are forcing you to use easily phishable MFA to using phishing-resistant forms. That, too, takes education. Most organizations and vendors are not aware of how easy most of today’s MFA solutions can be phished and bypassed. Educate them. Pressure them. Do whatever you can to get to more phishing-resistant forms of MFA.

** Optrics Inc. is an Authorized KnowBe4 partner

12 Ways to Defeat Multi-Factor Authentication On-Demand Webinar

Roger A. Grimes, KnowBe4’s Data-Driven Defense Evangelist, explores 12 ways hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code to run. Plus, he shares a hacking demo by KnowBe4’s Chief Hacking Officer, Kevin Mitnick.

Watch the Webinar


Test How Secure Your MFA Security Is With This Free Assessment. Start Your Assessment Now

The original article can be found here:

Leave a Reply