As the saying goes, malicious actors don’t break in—they log in. This rings especially true in today's cybersecurity landscape. Organizations are increasingly challenged to protect their employees from credential phishing, a threat that has only intensified with the rise of “MFA bypass” attacks.

In an MFA bypass attack, attackers use social engineering tactics to deceive victims into entering their username and password on a fake website. If the victim is using traditional MFA methods, like SMS, authenticator apps, or push notifications, the attackers simply prompt them for the MFA code or trigger the push notification. If the attackers can convince the victim to share their login credentials (username and password), they often succeed in persuading them to also share the MFA code or approval action.

It’s important to note that any form of MFA is better than none. However, recent attacks highlight that legacy MFA methods are no match for modern, sophisticated threats. So, what can organizations do to strengthen their defenses? One answer can be found in a new case study.

CISA and the USDA have just released a case study detailing how the USDA implemented FIDO authentication across its workforce of approximately 40,000 employees. While the majority of USDA staff use government-standard Personal Identity Verification (PIV) smartcards, this solution wasn’t suitable for all employees, including seasonal workers or those in specialized lab environments where standard PIV cards could be damaged by decontamination procedures. This case study explores the challenges the USDA faced, how they developed their identity management system, and offers recommendations for other organizations. One key takeaway: "Always be piloting."

FIDO authentication directly addresses MFA bypass attacks by leveraging modern cryptographic techniques integrated into operating systems, phones, and browsers that are already in use. Popular websites and Single Sign-On (SSO) providers also support FIDO authentication.

What’s truly remarkable about FIDO is that even if attackers manage to create a convincing phishing scheme and trick staff into providing their credentials, the account remains secure.

The USDA’s success story serves as a powerful example for all organizations to migrate to FIDO authentication. With rising threats, customers expect their providers to prioritize security. Organizations must evolve their defenses to safeguard against one of the most common and effective attack vectors in today’s cyber threat landscape.

image