{"id":21673,"date":"2022-04-15T21:10:25","date_gmt":"2022-04-15T21:10:25","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=21673"},"modified":"2023-11-14T16:09:09","modified_gmt":"2023-11-14T16:09:09","slug":"mfa-advantages-and-weaknesses","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/","title":{"rendered":"MFA Advantages and Weaknesses"},"content":{"rendered":"<p>Not everyone adopts <a href=\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/\">multi-factor authentication (MFA)<\/a> to secure their accounts. Many stick with simple username and password combinations despite the weaknesses of this authentication method.<\/p>\n<p>Yet if someone wanted to enable MFA, which option should they use? Each MFA option suffers vulnerabilities and creates user friction, so IT managers need to select the MFA option that best suits their users and their security concerns.<\/p>\n<p><span data-sheets-value=\"{&quot;1&quot;:2,&quot;2&quot;:&quot;&lt;!-- ICP Plugin: Start --&gt;&lt;div class=&quot;icp-list icp-list-main&quot;&gt;\n    The specified template was not found. Please check your settings.\n&lt;\/div&gt;\n&lt;!-- ICP Plugin: End --&gt;&quot;}\" data-sheets-userformat=\"{&quot;2&quot;:12801,&quot;3&quot;:{&quot;1&quot;:0},&quot;12&quot;:0,&quot;15&quot;:&quot;Nunito Sans&quot;,&quot;16&quot;:11}\"><!-- ICP Plugin: Start --><div class=\"icp-list icp-list-main icp-list-body-top3 row\">\n    \n        <!--\n            ICP Plugin - body top3\n            ----------\n            Category: \n            Country: HK\n        -->\n    <\/div>\n<!-- ICP Plugin: End --><\/span><\/p>\n<h2>The Problem with Passwords<\/h2>\n<p>Passwords are the most common method of authentication. Unfortunately, most implementations tend to be weakened by poor human habits and old technology standards.<\/p>\n<p>The standard minimum is to require eight-character passwords with complexity, where complexity consists of a mix of upper and lower case alphabet characters, numbers, and special characters. However, brute-force hacking has reached the point that seven-character passwords with complexity will be brute-forced nearly immediately and eight-character passwords merely take one hour to crack.<\/p>\n<p>As if their crackability wasn\u2019t bad enough, many attackers <a href=\"https:\/\/haveibeenpwned.com\/\" target=\"_blank\" rel=\"noopener\">already have the passwords<\/a> and don\u2019t need to apply brute-force attacks. LastPass surveys estimate that 44% of users use the same or similar password, despite knowing it represents a security risk.<\/p>\n<p>SpyCloud observations found that <a href=\"https:\/\/spycloud.com\/password-reuse\/\" target=\"_blank\" rel=\"noopener\">this reuse tends to be exploited<\/a>. Nearly 60% of data breaches in 2020 involved reused passwords, and this number increased to 76% for breaches for employees of the Fortune 1000.<\/p>\n<p><strong>Also read<\/strong>:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/best-password-managers\/\">Best Password Management Software and Tools<\/a><\/li>\n<li><a href=\"https:\/\/www.esecurityplanet.com\/trends\/passwordless-authentication-101\/\">Passwordless Authentication 101<\/a><\/li>\n<\/ul>\n<h2>MFA Improvements<\/h2>\n<p>Using two or more authentication methods becomes two-factor (2FA) or multi-factor authentication. MFA use can be a hassle for users and is not universally adopted.<\/p>\n<p>Microsoft finds that only 22% of its Azure Active Directory customers used MFA to secure their accounts in 2020 and only 11% of their enterprise cloud users overall. Of 1.2 million Microsoft enterprise accounts compromised in an average month, 99.9% will not have MFA enabled.<\/p>\n<p>However, MFA has been widely shown to be effective in dramatically reducing compromise. After Google enabled 2FA automatically for 150 million users and 2 million YouTube creators, it documented a 50% decrease in account compromise.<\/p>\n<h2>MFA Basics<\/h2>\n<p>Authentication can be set up via one of four categories:<\/p>\n<ul>\n<li><strong>Something you are:<\/strong> Biometrics, such as facial recognition, thumbprint, voiceprint, etc.<\/li>\n<li><strong>Something you have:<\/strong> A specific device like a computer, iPad, or phone; a device generating a code like Smart Cards, ID badges, keys, token devices, etc.; and an app tied to a device such as Google Authenticator<\/li>\n<li><strong>Something you know:<\/strong> Password, passphrase, etc.<\/li>\n<li><strong>Somewhere you are:<\/strong> IP address or geographic region<\/li>\n<\/ul>\n<p>Since username and password tends to be one of the forms of authentication, using one or more of the other methods would be the second type of authentication.<\/p>\n<p>In general, each classification of MFA may suffer one of three potential issues:<\/p>\n<ol>\n<li>Setup difficulties<\/li>\n<li>Stolen credentials<\/li>\n<li>Corrupted credentials<\/li>\n<\/ol>\n<h3>Something You Are<\/h3>\n<p>Something you are generally uses biometrics. Biometrics continue to increase in adoption, but many web applications and hardware devices do not support biometrics. Setup difficulties typically include the need for specialized software or peripherals, which <a href=\"https:\/\/support.lenovo.com\/us\/en\/product_security\/len-15999\" target=\"_blank\" rel=\"noopener\">may have flaws of their own<\/a>.<\/p>\n<p>Biometrics are the most resistant authentication to credential theft; however, biometrics can be vulnerable to involuntary authorization. For example, if a person is using a fingerprint biometric for their phone, an expert hacker in a different country would not be able to easily steal that person\u2019s finger through the internet, but their six-year-old child could <a href=\"https:\/\/www.inquisitr.com\/3835324\/apple-iphone-fingerprint-touch-id-pokemon\/\" target=\"_blank\" rel=\"noopener\">easily access the finger while they sleep<\/a>.<\/p>\n<p>Biometrics can also be susceptible to corruption due to physical trauma. For example, voice recognition may fail after a user suffers a stroke, or scarring from an accident could cause fingerprint recognition to fail.<\/p>\n<h3>Something You Have<\/h3>\n<p>Something you have is one of the older forms of MFA and enjoys wide adoption. This category of authentication includes:<\/p>\n<ul>\n<li>USB peripherals and physical security tokens<\/li>\n<li>Apps on phones (that prove you have the phone)<\/li>\n<li>MAC address white listing or certificate authentications for authorized hardware<\/li>\n<\/ul>\n<p>Unfortunately, newer web apps will not support all forms of this authentication due to licensing costs, and sometimes setup will also need to be done on an individual basis, which creates scaling difficulties for larger organizations.<\/p>\n<p>Physical tokens, peripherals, phones, and computers are difficult for hackers to steal through virtual means. However, this difficulty does not eliminate the issues of theft or replication in specific circumstances. For example, someone with physical access can walk away with a USB authenticator, or a hacker can break into a badge administration database and replicate badges.<\/p>\n<p>Something you have also tends to be vulnerable to human error because people regularly forget their keys, badges, or USB token devices. For traveling employees, it is also quite common to leave behind their phone or laptop in taxis, restaurants, hotels, or on airplanes.<\/p>\n<h3>Something You Know<\/h3>\n<p>Something you know is usually the basic authentication method of a password for a given user ID and is the most common and easiest to set up. This is the most simple and common authorization to deploy and, in theory, is the least susceptible to theft since cyberattackers cannot reach into our heads.<\/p>\n<p>However, in practice people have crowded and forgetful minds, which makes this authentication method easily corruptible and leads to compensating methods that lead to credentials theft. As noted above, people often reuse passwords to make recall easier, and many others use simple passwords or write passwords down on paper.<\/p>\n<p>Using complex passwords or pass-phrases of more than 12 characters is not always supported, and many organizations have not adopted <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-password-managers\/\">password managers<\/a> to help their employees manage their passwords. Additionally, while password encryption may be defined as a best practice, many organizations fail to protect passwords properly until after they have been breached, so this category will likely remain vulnerable for some time.<\/p>\n<h3>Somewhere You Are<\/h3>\n<p>Somewhere you are will not always be listed as an option for MFA, but it is possible to <a href=\"https:\/\/www.esecurityplanet.com\/applications\/whitelisting-vs-blacklisting-which-is-better\/\">whitelist<\/a> IP addresses or limit access to certain geographic areas. This method has not been widely adopted and will not often be an option available for web apps.<\/p>\n<p>Geographical location cannot be stolen, but it can be spoofed. Malicious attackers can use <a href=\"https:\/\/www.esecurityplanet.com\/products\/enterprise-vpn-solutions\/\">VPNs<\/a> to make it appear that their computer is located somewhere else. However, it is much more difficult to spoof an IP address.<\/p>\n<p>While geographical location will not be corrupted, it can be rendered invalid by travel. IT managers often decline to enable this type of authentication for executives and sales reps that must regularly visit clients. Since it will be difficult to obtain IP addresses and geographic itineraries in advance, managing somewhere you are authenticating can become burdensome.<\/p>\n<h2>MFA Attacks<\/h2>\n<p>With the rising adoption of MFA, attackers have developed counters. Currently attackers seek to use man-in-the-middle attacks or credential-stealing <a href=\"https:\/\/www.esecurityplanet.com\/threats\/malware-types\/\">malware<\/a> as the most common methods to obtain MFA credentials from the victim.<\/p>\n<h3>Credential-Stealing Malware<\/h3>\n<p>The weakest link remains the user. People can be tricked into downloading malicious software through phishing or even through malicious apps. These attacks steal MFA codes, authentication certificates, or <a href=\"https:\/\/stealthbits.com\/blog\/bypassing-mfa-with-pass-the-cookie\/\" target=\"_blank\" rel=\"noopener\">authentication cookies<\/a> from browsers to provide access to the attacker instead.<\/p>\n<p>This method can be difficult to counter with technology. Still, the same methods used to educate users about <a href=\"https:\/\/www.esecurityplanet.com\/threats\/phishing-attacks\/\">phishing attacks<\/a> would apply to most scenarios and should be pursued.<\/p>\n<h3>Man-in-the-Middle Attacks<\/h3>\n<p>Commonly deployed through phishing, the man-in-the-middle (MITM) attacker creates a look-alike resource, such as an email service login page or a <a href=\"https:\/\/krebsonsecurity.com\/2021\/11\/the-zelle-fraud-scam-how-it-works-how-to-fight-back\/#more-57594\" target=\"_blank\" rel=\"noopener\">phone call from a customer service representative<\/a>, that seems genuine to the victim. The fake resource will duplicate the expected processes of the actual resource and will pass through credentials to the genuine resource to trigger the MFA prompt.<\/p>\n<p>Once the MFA authentication is routed to the user, the victim delivers that authentication code to the attacker through the fake resource. Using the intercepted code, the attacker can then execute a take-over of the genuine resource.<\/p>\n<p>The most dangerous MITM attack exploits common SMS text authentication commonly used to provide 2FA for accessing checking accounts, brokerage accounts, Gmail, etc. Attackers execute <a href=\"https:\/\/www.ic3.gov\/Media\/Y2022\/PSA220208\" target=\"_blank\" rel=\"noopener\">SIM swap attacks<\/a> to fraudulently redirect the phone calls and texts to a phone in their control.<\/p>\n<p>Similar MITM or reverse proxy attacks can easily occur with slight modifications for email, apps, or even certificates. Fortunately, this attack can also be countered.<\/p>\n<p>Microsoft has implemented MTA Strict Transport Security (<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/introducing-mta-sts-for-exchange-online\/ba-p\/3106386\" target=\"_blank\" rel=\"noopener\">MTA-STS<\/a>) support for Exchange Online to counter MITM and downgrade attacks. RADIUS servers can also be used to ensure communication between devices only occurs between pre-authorized devices and pre-authorized servers.<\/p>\n<h2>Still a Good Security Option<\/h2>\n<p>Despite the presence of potential attacks and weaknesses, MFA should be added to security stacks as often as possible. Google and Microsoft proved that adoption of MFA dramatically reduces the number of successful attacks.<\/p>\n<p>Each user, each resource, and each organization will have limitations and preferences when it comes to specific types of MFAs. IT managers need to push towards higher security as they walk the line between insecure accounts and frustrated employees. With so many options, they can select an MFA that will not be excessively burdensome to the users and will also reduce risk to the organization.<\/p>\n<p>Read next: <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-iam-software\/\">Best Identity and Access Management (IAM) Solutions<\/a><\/p>\n\n\n<div id=\"ta-campaign-widget-66d6d1b5caa75-popup-wrapper\" class=\"ta-campaign-widget__popup-wrapper\">\n    \n<div\n    style=\"\n        --ta-campaign-plugin-primary: #3545ed;\n        --ta-campaign-plugin-button-text: #fff;\n        --ta-campaign-plugin-button-hover-background: #3231b4;\n        --ta-campaign-plugin-button-hover-text: #fff;\n        --ta-campaign-plugin-button-toggle-background: #3231b4;\n        --ta-campaign-plugin-button-toggle-text: #3231B4;\n    \"\n    data-ajax-url=\"https:\/\/www.esecurityplanet.com\/wp\/wp-admin\/admin-ajax.php\">\n    <div\n        id=\"ta-campaign-widget-66d6d1b5caa75\"\n        class=\"ta-campaign-widget ta-campaign-widget--popup\"\n        data-campaign-fields='{\"properties\":{\"campaign_type\":\"popup\",\"campaign_category\":false,\"sailthru_list\":[\"cybersecurity-insider\"],\"popup_type\":\"exit_intent\",\"appearance\":{\"colors\":{\"primary_color\":\"#3545ed\",\"button\":{\"button_text_color\":\"#fff\",\"hover\":{\"button_hover_background_color\":\"#3231b4\",\"button_hover_text_color\":\"#fff\"},\"toggle\":{\"button_toggle_background_color\":\"#3231b4\",\"button_toggle_text_color\":\"#3231B4\"}}},\"custom_scss\":\"\"},\"behavior\":{\"opt_in_enabled\":true},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}},\"identifier\":\"66d6d1b5caa75\",\"campaign_id\":26045,\"campaign_type\":\"popup\",\"popup_type\":\"exit_intent\",\"newsletters\":[\"cybersecurity-insider\"],\"behavior\":{\"opt_in_enabled\":true},\"appearance\":{\"colors\":{\"primary\":\"#3545ed\",\"button\":{\"text\":\"#fff\",\"hover\":{\"background\":\"#3231b4\",\"text\":\"#fff\"},\"toggle\":{\"background\":\"#3231b4\",\"text\":\"#3231B4\"}}},\"custom_css\":\"\"},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}}'>\n\n                <div class=\"ta-campaign-widget__exit\">\n            <svg class=\"w-8\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" viewBox=\"0 0 24 24\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\">\n                <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M6 18L18 6M6 6l12 12\"><\/path>\n            <\/svg>\n        <\/div>\n        \n        <div class=\"ta-campaign-widget__wrapper\">\n            <div class=\"ta-campaign-widget__header mb-6\">\n                                <h3 class=\"ta-campaign-widget__tagline\">\n                    Get the Free Cybersecurity Newsletter                <\/h3>\n                \n                \n                                <p class=\"ta-campaign-widget__content mt-6\">\n                    Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday                <\/p>\n                            <\/div>\n\n            <form class=\"ta-campaign-widget__form\">\n                <div class=\"ta-campaign-widget__input mb-4\"  data-field=\"email\">\n                    <label\n                        class=\"sr-only\"\n                        for=\"email-66d6d1b5caa75\">\n                        Email Address\n                    <\/label>\n                    <input\n                        class=\"ta-campaign-widget__input__text\"\n                        placeholder=\"Work Email Address\"\n                        id=\"email-66d6d1b5caa75\"\n                        name=\"email\"\n                        type=\"email\">\n                <\/div>\n\n                                <div class=\"ta-campaign-widget__checkbox mb-4\" data-field=\"opt_in\">\n                    <div class=\"flex items-start\">\n                        <input\n                            id=\"opt-in-66d6d1b5caa75\"\n                            class=\"ta-campaign-widget__checkbox__input mr-2\"\n                            name=\"opt-in\"\n                            type=\"checkbox\"\/>\n                        <label\n                            class=\"ta-campaign-widget__checkbox__label\"\n                            for=\"opt-in-66d6d1b5caa75\">\n                            By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.                        <\/label>\n                    <\/div>\n                <\/div>\n                \n                <button class=\"ta-campaign-widget__button\" type=\"submit\" >\n                    Subscribe                <\/button>\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n\n<style>\n<\/style><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Not everyone adopts multi-factor authentication (MFA) to secure their accounts. Many stick with simple username and password combinations despite the weaknesses of this authentication method. Yet if someone wanted to enable MFA, which option should they use? Each MFA option suffers vulnerabilities and creates user friction, so IT managers need to select the MFA option [&hellip;]<\/p>\n","protected":false},"author":271,"featured_media":17797,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_gazelle_contributing_experts":"","footnotes":""},"categories":[22],"tags":[12335,7253,26748],"b2b_audience":[33],"b2b_industry":[],"b2b_product":[31781],"class_list":["post-21673","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-applications","tag-iam","tag-multi-factor-authentication","tag-password-managers","b2b_audience-awareness-and-consideration","b2b_product-multi-factor-access-management"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>MFA Advantages and Weaknesses | eSecurity Planet<\/title>\n<meta name=\"description\" content=\"Multi-factor authentication has a number of weaknesses but is still a good security tool. Here&#039;s how to use MFA safely.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MFA Advantages and Weaknesses | eSecurity Planet\" \/>\n<meta property=\"og:description\" content=\"Multi-factor authentication has a number of weaknesses but is still a good security tool. Here&#039;s how to use MFA safely.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/\" \/>\n<meta property=\"og:site_name\" content=\"eSecurity Planet\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-15T21:10:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-11-14T16:09:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/hacker-3342696_1920-e1672947320490.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"900\" \/>\n\t<meta property=\"og:image:height\" content=\"692\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Chad Kime\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:site\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chad Kime\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/\"},\"author\":{\"name\":\"Chad Kime\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/86e8ee2d3bc71af07dbe303d16f17dc9\"},\"headline\":\"MFA Advantages and Weaknesses\",\"datePublished\":\"2022-04-15T21:10:25+00:00\",\"dateModified\":\"2023-11-14T16:09:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/\"},\"wordCount\":1515,\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/hacker-3342696_1920-e1672947320490.jpg\",\"keywords\":[\"IAM\",\"multi-factor authentication\",\"password managers\"],\"articleSection\":[\"Applications\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/\",\"url\":\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/\",\"name\":\"MFA Advantages and Weaknesses | eSecurity Planet\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/hacker-3342696_1920-e1672947320490.jpg\",\"datePublished\":\"2022-04-15T21:10:25+00:00\",\"dateModified\":\"2023-11-14T16:09:09+00:00\",\"description\":\"Multi-factor authentication has a number of weaknesses but is still a good security tool. Here's how to use MFA safely.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#primaryimage\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/hacker-3342696_1920-e1672947320490.jpg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/hacker-3342696_1920-e1672947320490.jpg\",\"width\":900,\"height\":692,\"caption\":\"Cybersecurity hacker\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esecurityplanet.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MFA Advantages and Weaknesses\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"name\":\"eSecurity Planet\",\"description\":\"Industry-leading guidance and analysis for how to keep your business secure.\",\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esecurityplanet.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\",\"name\":\"eSecurityPlanet\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"width\":1134,\"height\":375,\"caption\":\"eSecurityPlanet\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/eSecurityPlanet\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/86e8ee2d3bc71af07dbe303d16f17dc9\",\"name\":\"Chad Kime\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/08\/2023-Kime-HeadShot-150x150.jpg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/08\/2023-Kime-HeadShot-150x150.jpg\",\"caption\":\"Chad Kime\"},\"description\":\"eSecurity Planet lead writer Chad Kime covers a variety of security, compliance, and risk topics. Before joining the site, Chad studied electrical engineering at UCLA, earned an MBA from USC, managed 200+ ediscovery cases, and helped market a number of IT and cybersecurity products, then transitioned into technical writing policies and penetration test reports for MSPs and MSSPs. In his free time, Chad enjoys walks on the beach with his wife, annoying his children, and trying to carve out time for movies, books, video games, and bike rides.\",\"url\":\"https:\/\/www.esecurityplanet.com\/author\/chad-kime\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MFA Advantages and Weaknesses | eSecurity Planet","description":"Multi-factor authentication has a number of weaknesses but is still a good security tool. Here's how to use MFA safely.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/","og_locale":"en_US","og_type":"article","og_title":"MFA Advantages and Weaknesses | eSecurity Planet","og_description":"Multi-factor authentication has a number of weaknesses but is still a good security tool. Here's how to use MFA safely.","og_url":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/","og_site_name":"eSecurity Planet","article_published_time":"2022-04-15T21:10:25+00:00","article_modified_time":"2023-11-14T16:09:09+00:00","og_image":[{"width":900,"height":692,"url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/hacker-3342696_1920-e1672947320490.jpg","type":"image\/jpeg"}],"author":"Chad Kime","twitter_card":"summary_large_image","twitter_creator":"@eSecurityPlanet","twitter_site":"@eSecurityPlanet","twitter_misc":{"Written by":"Chad Kime","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#article","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/"},"author":{"name":"Chad Kime","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/86e8ee2d3bc71af07dbe303d16f17dc9"},"headline":"MFA Advantages and Weaknesses","datePublished":"2022-04-15T21:10:25+00:00","dateModified":"2023-11-14T16:09:09+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/"},"wordCount":1515,"publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/hacker-3342696_1920-e1672947320490.jpg","keywords":["IAM","multi-factor authentication","password managers"],"articleSection":["Applications"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/","url":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/","name":"MFA Advantages and Weaknesses | eSecurity Planet","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#primaryimage"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/hacker-3342696_1920-e1672947320490.jpg","datePublished":"2022-04-15T21:10:25+00:00","dateModified":"2023-11-14T16:09:09+00:00","description":"Multi-factor authentication has a number of weaknesses but is still a good security tool. Here's how to use MFA safely.","breadcrumb":{"@id":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#primaryimage","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/hacker-3342696_1920-e1672947320490.jpg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/hacker-3342696_1920-e1672947320490.jpg","width":900,"height":692,"caption":"Cybersecurity hacker"},{"@type":"BreadcrumbList","@id":"https:\/\/www.esecurityplanet.com\/applications\/mfa-advantages-and-weaknesses\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esecurityplanet.com\/"},{"@type":"ListItem","position":2,"name":"MFA Advantages and Weaknesses"}]},{"@type":"WebSite","@id":"https:\/\/www.esecurityplanet.com\/#website","url":"https:\/\/www.esecurityplanet.com\/","name":"eSecurity Planet","description":"Industry-leading guidance and analysis for how to keep your business secure.","publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esecurityplanet.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esecurityplanet.com\/#organization","name":"eSecurityPlanet","url":"https:\/\/www.esecurityplanet.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","width":1134,"height":375,"caption":"eSecurityPlanet"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/eSecurityPlanet"]},{"@type":"Person","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/86e8ee2d3bc71af07dbe303d16f17dc9","name":"Chad Kime","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/08\/2023-Kime-HeadShot-150x150.jpg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/08\/2023-Kime-HeadShot-150x150.jpg","caption":"Chad Kime"},"description":"eSecurity Planet lead writer Chad Kime covers a variety of security, compliance, and risk topics. Before joining the site, Chad studied electrical engineering at UCLA, earned an MBA from USC, managed 200+ ediscovery cases, and helped market a number of IT and cybersecurity products, then transitioned into technical writing policies and penetration test reports for MSPs and MSSPs. In his free time, Chad enjoys walks on the beach with his wife, annoying his children, and trying to carve out time for movies, books, video games, and bike rides.","url":"https:\/\/www.esecurityplanet.com\/author\/chad-kime\/"}]}},"_links":{"self":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/21673"}],"collection":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/users\/271"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/comments?post=21673"}],"version-history":[{"count":1,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/21673\/revisions"}],"predecessor-version":[{"id":32833,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/21673\/revisions\/32833"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media\/17797"}],"wp:attachment":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media?parent=21673"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/categories?post=21673"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/tags?post=21673"},{"taxonomy":"b2b_audience","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_audience?post=21673"},{"taxonomy":"b2b_industry","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_industry?post=21673"},{"taxonomy":"b2b_product","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_product?post=21673"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}