Legacy MFA is dead. 

It’s been a security fundamental for years, and is still widely considered a best practice for user security. But countless recent attacks show us that traditional multi-factor authentication (MFA) is no longer an obstacle to increasingly sophisticated hackers.

Uber and Twilio highlight the limits of legacy MFA

In September, an attacker breached Uber’s network and gained access to internal systems. Uber says the attacker likely purchased a contractor’s corporate password on the dark web. Even though Uber utilizes MFA, which initially stopped the attacker’s progress, the contractor approved the MFA request (through a push notification) and the damage was done. 

The attacker then accessed additional systems using those credentials and leveraged poor access control policies to gain a broad level of access to many more systems. While Uber claims it has “not seen” evidence that public-facing systems were accessed by the hacker, they’ve certainly suffered a reputational hit because legacy MFA didn’t offer enough protection.

Twilio’s recent hack is another example. SMS phishing convinced some Twilio employees to give up their credentials, leading to the compromise of credentials for 163 customers, including Okta

But once attackers had gained access to Twilio’s customer support console, they obtained the phone numbers and verification codes for 1,900 Signal customers, which would have enabled them to register those phone numbers to a different device using the code. Luckily, among the 1,900 affected users, the attacker only searched for three numbers and re-registered only one. 

The risks and costs of traditional MFA

If some of the world’s most reputable and sophisticated organizations aren’t immune to attacks, where does that leave everyone else? Even more likely to experience a breach. 

Compromised credentials are the most frequent vector for attacks, accounting for 19%, according to IBM’s Cost of a Data Breach Report 2022. A whopping 80% of financial services organizations have experienced a breach that was likely related to authentication weakness, according to a recent HYPR study

Organizations are caught trying to avoid the likelihood and expense ($4.5 million per breach on average, according to IBM) of compromised credential attacks, without slowing productivity and alienating users by imposing even more onerous security safeguards. 

But there doesn’t need to be a tradeoff. Organizations can protect themselves from breaches due to compromised credentials, avoid the ongoing collapse of traditional MFA, and keep the burden on users as minimal as possible. 

Managing the Joiner-Mover-Leaver workflow

Every organization inevitably has users onboarding new systems, changing roles, or offboarding as they leave. These Joiner-Mover-Leaver approaches are critical to an organization’s security posture.

Far too often, companies only focus on the Joiner, get by with ad hoc requests for the Mover, and forget about Leaver entirely. This fragmented way of thinking is what creates security vulnerabilities. Furthermore, you can’t have a cohesive strategy without considering authentication. 

  • Joiner: Without strong authentication, you are creating new at risk accounts and access.
  • Mover: Without structure, an employee's level of access will naturally grow over time. It's human nature to add access. It is not human nature to review and remove access that’s no longer needed.
  • Leaver: Without clear approaches, access is leaked and orphaned accounts are created. 

A true defense in-depth strategy means having a well-understood approach to the basics for your company and its critical systems. The Bravura Security Fabric can deliver such a solution for you and the newest addition to the family, Bravura OneAuth, plays a critical role here. 

Go passwordless with Bravura OneAuth powered by HYPR

Many traditional MFA methods leverage passwords, which is a giant target for hackers. If you can type it, whether it’s a password or a shared secret, it puts your company at risk. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended phishing-resistant MFA, particularly based on the FIDO authentication standard to counter the increase in cyberattacks and the world’s password insecurity. 

Passwordless is the answer, and Bravura Security has partnered with HYPR to deliver a true passwordless future through Bravura OneAuth

Bravura OneAuth eliminates organizational risk by ditching passwords and providing superior security compared to traditional MFA solutions. Users sign in with one-touch biometrics that act as access points, making authentication as easy as unlocking a cell phone. According to HYPR’s study, 89% of organizations believe passwordless authentication provides a superior user experience and the highest level of authentication security.

Bravura OneAuth powered by HYPR gives you the opportunity to adopt phishing-resistant, true passwordless authentication. With so many recent attacks showing how feeble traditional MFA can be in preventing a breach, the time to adopt passwordless is now. 

Learn more about how Bravura OneAuth can protect your organization