This chapter will cover additional sneaky ways hackers take advantage to get around MFA solutions focusing on alternative authentication methods vendors provide to recover MFA-protected accounts.

Introduction

No matter what your MFA solution is, implementing it is more expensive, both initially and ongoing, than traditional logon name and password solutions. If you use MFA, your organization is nearly guaranteed to have increased support calls and costs. It's the nature of using a more involved, complex solution. It takes longer to train people in how to appropriately use MFA solutions. MFA solutions involving additional hardware devices naturally mean those hardware devices will break and be lost or stolen. Even if all your MFA solution uses is SMS or an app on a cell phone, that means more support calls and more operational disruption as compared to password-based solutions.

Large-scale MFA solutions with hundreds of thousands to millions of users are challenged with how to provide technical support to all those customers and at the same time keep support costs to an acceptable minimum. Because of this, I've yet to see the large-scale MFA solution that didn't offer a recovery method that ultimately didn't involve something less secure than the MFA solution it was backing up. I've even seen many MFA solutions that had an admin or user option that enabled the user to “REQUIRE MFA”, that in the end didn't allow a logon method that didn't require ...