On the surface it might seem like multi-factor authentication (MFA) is the silver bullet of authentication. Indeed, MFA does play a major role in combating fraud, and it should be a strategy used by every business and organisation to protect its customers. However, silver bullets are a bit like Unicorns: they don’t exist there’s always a slight risk you might get impaled. So, when is MFA not applicable? Let’s take a closer look:
During an application process
There are times when MFA just isn’t an option, and an application process can be one of those times. Let’s suppose a fraudster is applying for a credit card in another person’s name. Your authentication options are limited since MFA requires an existing trusted device (second factor) to be setup. So how can you be sure the person submitting the application is who they say they are?
When devices have been lost or aren’t accessible
A classic tactic used by fraudsters is to eliminate MFA from the equation. This can be as simple as speaking with a call center agent, and when asked to perform MFA, informing the agent that the device has been lost or stolen. This leaves agents with no option but to revert to the standard security questions that are easily exploited.
When a device is compromised
In most cases, MFA uses your mobile device (SMS or app notification) as the second factor in the authentication process. But what if that device has been compromised? What use is an access code sent to a device in the hands of the fraudsters? This risk has significantly increased in recent years with fraudsters incorporating remote access software into their scams. This means MFA access codes can be intercepted without physically being in possession of the device.
In summary, while multi-factor authentication is a powerful tool for every organisation, it’s not the answer to everything. Maybe it’s time to have Honey Badger as a second string to your bow?
Honey Badger HQ
