I have been hearing some interesting things from the RSA conference this year. That is nothing new, as RSA is a great source for the latest in cybersecurity technology and a wonderful place for education. Unfortunately, I was not able to attend RSA this year; however, one trend that I have heard about involves something near and dear to my heart, and it concerns me.
On more than one occasion now, I have been told that this year, well respected speakers have said, on stage, that Multi-Factor Authentication (MFA) can stop 99% of phishing attacks. This is not only a foolish statement, but a dangerous one. It is also not the first time I have heard this claim or the first time I have addressed it.
Looking back to 2018 when I first read the headline, “Google: Security Keys Neutralized Employee Phishing” from Brian Krebs, I have had serious issues with how MFA is explained. That article started with this quote, further misleading people:
“Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.”
Not only are statements like this misleading, but they are also just plain wrong and even dangerous.
Ironically, shortly after this article was published quoting Google telling us about how MFA keys did such a great job eliminating phishing, the marketing giant launched the sale of these same MFA keys. This was not an accident, but rather a clever marketing scheme.
I do not want to give the wrong impression here. I actually really like MFA and recommend it to people all the time. I support the FIDO Alliance wholeheartedly and use Yubikeys myself. The issue is that it is not the silver bullet that some people claim it to be. While it can be effective at stopping some phishing attacks and other very specific types of attacks, it is mostly useless against the vast majority of them. MFA protects account logins – that is all.
Why would I make such a bold statement? It is simple really. While MFA helps to prevent accounts from takeover due to lost, stolen or weak credentials, it does nothing to counter a person clicking on a link to a malware-infected website, opening an infected document or wiring money to bad actors. According to the FBI , between June 2016 and December 2021, there were over $43 billion in losses due to Business Email Compromise (BEC). While the name implies that accounts were compromised, the majority of times these scams are pulled off by simply spoofing the name of an email account, not actually having access to the real account. MFA does nothing to stop a spoofed account from asking someone to transfer funds or buy gift cards.
Another huge part of email phishing is the distribution of malware. This most commonly happens by getting the targets of the emails to click on a link in the email or by opening an infected document and enabling active content or macros. None of these scenarios are impacted by MFA in the least.
By telling people that MFA will stop 99% of phishing attacks, we are doing a great disservice to people by giving them a false sense of hope. Executives could come back from the conference and tell their staff that if they implement MFA, they can cut in other places, which is a really dangerous message.
Phishing cannot be stopped by a single technology or even a mix of technologies. The best we can do is to manage the problem and reduce the risk through a mixture of technologies and by helping individuals spot these attacks through education and practice. A focus on a good, strong security culture within the organization can do far more than simply enabling MFA; although these measures are an important part of a strong security program.
As security professionals, it is our duty to be objective about how effective security controls are and not fall for marketing messages that are meant to promote products. Snake oil is still too prevalent in our industry to let our guard down.