Multi-Factor Authentication (MFA) is a security measure that requires two or more proofs of identity to grant you access to an application. For example, in addition to providing your password, you need a one-time password (OTP) sent via an email, text message or an authenticator app. On some websites, it can be an approval prompt sent to a smartphone app after you enter your password.
The conventional wisdom is that MFA will increase your security. But unfortunately, this conventional wisdom will soon be inadequate.
Make no mistake, MFA will soon no longer protect you from phishing attacks thanks to new class of phishing technology.
To understand why let’s take a brief look at the history of these types of attacks. In the past, phishing was just a means for hackers to harvest your password. After stealing it, the hacker then attempted to log into a real website using your stolen credential. If you had MFA set up, this would stop the hacker. Basically, there was a time lag between when your password was stolen and when the hacker used it to log into your account.
Today, hackers have grown a lot more sophisticated…there is no such time lag. First, when you visit the phishing website, it will retrieve the content from the real website and relay it back to you. When you enter your password on the phishing website, it will use it to log into your account on the real website simultaneously.
What if the real website asks for your MFA? The phishing website…