25Takeaway Lessons
This chapter will recap the individual user and developer defenses provided by the various MFA solutions shared in the previous chapters and discuss the lessons readers need to take away from this book. We'll start with the broader lessons first.
Broader Lessons
This section covers some general takeaways from all MFA solutions.
MFA Works
In a book dedicated to hacking MFA, some readers may come away with the idea that MFA is bad or not worth using. Let me be clear: MFA decreases cybersecurity risk in many use cases, especially general account takeover (ATO) scenarios. But there is a difference between MFA decreasing risk in many scenarios and MFA not being hackable.
MFA does stop hacking in many scenarios, especially phishing attacks that ask for the user's passwords and then uses those fraudulently obtained credentials to log on to the victim's legitimate sites and services. If you don't have a password to be stolen because you're using MFA instead, then that type of attack will simply not work against you. MFA also stops many types of traditional attacks against sites and services that require MFA for logon. Unless an intruder finds a way around the MFA requirement in those two scenarios, the MFA solution decreases risk.
Multiple studies have shown that MFA is good at stopping widely broadcasted, general, credential phishing attacks, including these:
Get Hacking Multifactor Authentication now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
