Ben's Book of the Month: "Hacking Multifactor Authentication"


Posted on by Ben Rothke

In elementary school, there was always that one annoying kid who went out of his way to let you know that the tooth fairy was not real. For many children, finding out that the tooth fairy is a fairytale was quite disconcerting. But their ennui was often temporary once they received money for the tooth.

In Hacking Multifactor Authentication (Wiley), author Roger Grimes plays the role of that kid. While he’s not annoying, that same level of ennui may plague many in the technology space when they find out that multi-factor authentication (MFA) is not the bulletproof security panacea that they were led to believe.

Not that MFA is not an excellent and necessary information security technology and solution. Rather that many people think that once they use MFA, most of their authentication problems are solved. But MFA, like every information security solution, can be hacked. Often, MFA can be hacked due to user misconfigurations or other issues.

In this important book, Grimes details over 20 ways in which MFA solutions can be hacked. Some of them are harder than others, but he also details ways to protect and defend against these attacks. But the underlying message is that while MFA brings a lot to the security table, that table can still be hacked.

The first four chapters provide an excellent overview of passwords, authentication, security and more. And the next 21 chapters give an encyclopedic survey of the many ways in which MFA can be compromised and attacked. From endpoint attacks to subject attacks, fake authentication attacks and more, Grimes details MFA attacks you may be aware of and many that you did not know even existed.

After reading a few hundred pages about MFA vulnerabilities, the book details how you can deploy secure MFA solutions. MFA is not monolithic, and with over 100 vendors in the space, selecting the right solution is imperative.

For those looking to deploy MFA, it’s worth buying the book just for the information in chapter 23 on selecting the right MFA solution. There, Grimes details over 100 selection criteria to consider in your MFA deployment. Forget about what Gartner® says about MFA; chapter 23 is what you should be reading first.

I have Hacking Multifactor Authentication on my list of The Best Information Security Books of 2020. For those deploying MFA, it can be a significant cost and will require large amounts of time from your information security team. To ensure they are deploying MFA correctly and securely, make sure they read this book first.

Contributors
Ben Rothke

Senior Information Security Manager, Tapad

Analytics Intelligence & Response

hackers & threats

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs