#BeCyberSmart: Why MFA Doesn't Solve Everything

October is National Cybersecurity Awareness Month. Each week has a theme. This week's theme? How to remain #CyberSmart. This blog goes into the promise—and perils—of multi-factor authentication:

According to official Microsoft guidance, multi-factor authentication can solve everything. Seriously. Microsoft notes that MFA can block "over 99.9% of account compromise attacks." Read on:

Everyone should have multi-factor authentication. It is the bare minimum of security. Without MFA, the rest of your security is irrelevant — especially in Microsoft 365 and Google Workspace.

However, MFA is not a panacea. Sure, it can block off an avenue for hackers to infiltrate. But it doesn't block off every avenue. MFA is another form of perimeter security, but the cloud has no perimeter. People often think that because they have MFA, they’re immune to phishing attacks. To be clear, MFA is not designed to stop attacks not related to logins. It only secures online accounts at the perimeter, when the user logs in to gain access.

MFA specifically cannot stop BEC attacks, spoofed login pages, CEO impersonation or embedded malware. 

Implementing MFA is great, and an essential step for all companies. Relying solely on it? Not so much. MFA does not solve the phishing problem. Attacks can automate the login to happen at the same time as capturing their own login. Instead of authenticating a login, users are essentially approving the attacker's attempts to infiltrate the system. Cloud Access Trojan attacks require just one login and create a permanent backdoor.

MFA helps. But it's not perfect. It's why we've implemented a new MFA anomalies engine, which detects login operations that failed the MFA stage.