In elementary school, there was always that one annoying kid who went out of his way to let you know that the tooth fairy was not real. For many children, finding out that the tooth fairy is a fairytale was quite disconcerting. But their ennui was often temporary once they received money for the tooth.
In Hacking Multifactor Authentication (Wiley), author Roger Grimes plays the role of that kid. While he’s not annoying, that same level of ennui may plague many in the technology space when they find out that multi-factor authentication (MFA) is not the bulletproof security panacea that they were led to believe.
Not that MFA is not an excellent and necessary information security technology and solution. Rather that many people think that once they use MFA, most of their authentication problems are solved. But MFA, like every information security solution, can be hacked. Often, MFA can be hacked due to user misconfigurations or other issues.
In this important book, Grimes details over 20 ways in which MFA solutions can be hacked. Some of them are harder than others, but he also details ways to protect and defend against these attacks. But the underlying message is that while MFA brings a lot to the security table, that table can still be hacked.
The first four chapters provide an excellent overview of passwords, authentication, security and more. And the next 21 chapters give an encyclopedic survey of the many ways in which MFA can be compromised and attacked. From endpoint attacks to subject attacks, fake authentication attacks and more, Grimes details MFA attacks you may be aware of and many that you did not know even existed.
After reading a few hundred pages about MFA vulnerabilities, the book details how you can deploy secure MFA solutions. MFA is not monolithic, and with over 100 vendors in the space, selecting the right solution is imperative.
For those looking to deploy MFA, it’s worth buying the book just for the information in chapter 23 on selecting the right MFA solution. There, Grimes details over 100 selection criteria to consider in your MFA deployment. Forget about what Gartner® says about MFA; chapter 23 is what you should be reading first.
I have Hacking Multifactor Authentication on my list of The Best Information Security Books of 2020. For those deploying MFA, it can be a significant cost and will require large amounts of time from your information security team. To ensure they are deploying MFA correctly and securely, make sure they read this book first.