Multi-factor authentication is a great way to keep your account secure from unauthorised login attempts, especially when your password has been exposed. But it’s not a shining panacea.
A word of warning for you and your IT team: Just because MFA is enabled, it doesn’t mean your account is secure from all intrusion attempts. Have a think about these few scenarios, and think about how you would protect yourself against an intruder using one of these methods.
- Not all of your accounts that use that username/password combination use MFA.
- You receive an MFA request that you didn’t initiate.
- Your MFA method posts to your computer via email or sms pushing through to an app on your computer.
- Your mobile phone number gets hijacked (ie someone transfers your number to their SIM card).
- An alternative authentication method is set as the desk phone at the same workstation your computer is located.
Admittedly, these last two require a little more sophistication in their execution, but are not beyond the realm of possibility.
Have another scenario that may subvert MFA controls? Post it below so we can discuss methods to mitigate the risks.
