Passwords are hacked with ease, and MFAs are not the answer. Isn’t it time the biggest companies protect their clients and workforce with an identity-based perimeter?‍

What’s been your highlight this year? Mine was unusual: sitting in a dingy AirBnB in South London with a crack team of hackers. We ran the project as part of a white paper assessing the safety of challenger banks with our partners at WeFightFraud (you can read the alarming results here) led by the charming, cheeky and utterly terrifying Tony Sales.

While the surroundings (and the cold sausage rolls) weren’t exactly memorable, the lesson they taught me was. Because that was the day I saw Multi-Factor Authentication (MFA) completely collapse.

Hypr estimates that between 80-90% of MFA applications is hopelessly easy to breach. All those times you received a text to verify your login to Office 365 or confirmed your email on the very same device used to set up a new account; all pointless. Hackers use some sophisticated (and not-so-sophisticated) methods to bypass MFA so that it’s barely more secure than using a simple password. (And let’s face it, we’re one of the 64% of people that use the same or similar password for everything.)

Attacks include phishing, SMS OTP (those texts purporting to come from Amazon), even social engineering – where the hacker simply calls up the IT help desk and engineers the call centre staff to give up the passwords or reset them to a new mobile number – and MitM (Man in the Middle) can all yield results. And then there’s ‘MFA Fatigue’ – which involves spamming victims with authentication prompts until they grant the attacker access accidentally or out of frustration – perceiving it as a legitimate login attempt or a bug. It is a type of brute force approach to bypassing MFA that takes advantage of how approving MFA requests has become so routine that employees assume the prompts in their authenticator apps are always valid.

Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined.

The global MFA and cloud computing markets are projected to grow by nearly 15.6% and 17.9% by 2027 and 2028 respectively.1,2 Password manager LastPass reported that 95% of organisations in 2021 used software-based authenticators for MFA rather than physical tokens or biometrics.

But given the higher risks of attacks – and the enormous costs in dealing with data breaches and lost business – companies need to look for alternative solutions in 2023.

Several high-profile organisations, including Cisco Talos, Microsoft, and Uber, have been breached by threat actors who have utilised this technique. Whilst MFA plays a significant part in strengthening an organisation’s cybersecurity posture, it is not a ‘silver bullet’.

As a temporary workaround for MFA fatigue, it is likely that organisations will increasingly disable push notifications of “approve sign-in” requests and seek to ensure that number matching and location-based verification is used to gain access to accounts instead.

But nothing matches the security of passwordless ID verification tools. APLYiD specialises in biometrics than can confirm a user’s identity against government and credit bureau records including PEP and sanctions checks in under 90 seconds. By including its API in your company’s authentication and login process that time can be cut even shorter and be a simple, safe and totally secure way of restricting access to your workforce. APLYiD has reduced cybercrime to the tune of over $2 billion dollars in New Zealand alone, and proven over 98% effective in cutting identity theft and data breaches.

Placing an identity ‘perimeter’ around your most valuable data, and unhackable biometric protocols in place to prevent unauthorised access, is the soundest way of futureproofing your business.

And the benefits for your workforce are much greater. No more MFA Fatigue or phishing emails gaining access to your systems. No more social engineering attempts via your IT departments. Just simple access that allows your teams to work virtually, anywhere in the world, with total security.

If we see worldwide adoption of biometric ID perimeters in 2023, then my highlight for the year will be very different. Personally, I’d love to sit in an ugly AirBnB and listen to hackers swearing when they realise they can’t break into the world’s biggest companies.

I’ll probably bring my own sausage rolls this time.

‍