Multi-factor authentication (MFA) is rightly considered a security upgrade on single-factor approaches like a simple username and password. MFA does a great job of reinforcing traditional login credentials, and in turn, is very effective at stopping fraudsters who take advantage of easy prey – such as the 12% of consumers who use one single password for every account across multiple platforms. In situations like these, where fraudsters rely solely on stolen credentials to perpetrate their crimes, MFA methods like SMS and email OTPs are very effective at preventing account takeover (ATO).
But although MFA makes organizations – and their users – feel safe, cybercriminals are constantly evolving their technologies and practices to get around this additional layer of security. Some of these methods rely on driving MFA fatigue, but others are more insidious and seek to bypass the protection offered by MFA altogether. All of this means that, while MFA is a great way to reinforce login credentials like usernames and passwords, it may not be enough to stop the latest types of ATO.