Online threats are constantly evolving, so it’s often difficult, even counterproductive, to compare how useful a security control is in today’s threat environment to the threat environment of a few years ago. But it’s important to stay on top of whether so-called cybersecurity “best practices” are actually protecting people, especially because there’s so little good empirical data available about how effective they are. We just recently received some new data from Google suggesting that multifactor authentication may not be as useful now as it once was—but that doesn’t mean you shouldn’t use it. It just means that attackers may be changing their methods to routinely circumvent the now ubiquitous log-in technology that was supposed to save us from all but the most sophisticated phishing attacks.
Multifactor authentication has been a go-to cybersecurity recommendation for organizations across the public and private sectors for at least five years now. Unlike password length and complexity requirements, which just helped protect users from dictionary or brute-force attacks in which attackers tried to guess passwords using common combinations of letters and numbers, multifactor authentication goes one step further to protect against phishing attacks. If someone steals your password using a phishing message or website, then it doesn’t matter how complicated that password is; the attacker just has to copy and paste it into the login page. Multifactor authentication adds an additional step to that login process, requiring those would-be account hijackers to also access the user’s smartphone or security key or other device to enter a second authentication factor in addition to that password. Five years ago, that explanation would have been necessary in an article like this one, but today you almost certainly are already familiar with these two-factor systems and use them, either by choice or by requirement, for several of your online accounts. That’s because they’ve been widely regarded as one of the most effective ways to mitigate phishing and other forms of account hijacking.
So it was a little startling earlier this month when Google released research about its two-step verification system that suggested its expansion of multifactor authentication—bringing it to more than 150 million people in the past year—has only reduced account compromises by 50 percent.
That’s great—except it’s a much less significant reduction in account compromises than Google reported just three years ago, in 2019. In its 2019 study of user accounts that had two-step verification enabled, Google found that SMS-based multifactor authentication, in which the second factor is a code sent to the user via text message, successfully blocked 100 percent of automated bots, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks. The more secure form of multifactor authentication, in which users perform the second step of authentication using an on-device prompt, prevented 100 percent of bots, 99 percent of bulk phishing attacks, and 90 percent of targeted attacks. To state the obvious: Those are much more impressive success rates than the 50 percent reduction in account hijackings that Google reported recently. In 2020, Microsoft also reinforced the effectiveness of multi-factor authentication by announcing at the RSA security conference that 99.9 percent of the compromised accounts it tracked didn’t use multifactor authentication.
There are some important differences between the 2022 and 2019 Google datasets. For instance, the most recent statistic comes after Google significantly expanded its two-step verification program in 2021 by “auto-enabling” multifactor authentication for more than 150 million users plus 2 million YouTube creators who had not previously enrolled in the voluntary program. It’s not clear how exactly Google selected who would be automatically enrolled in the program, but at the very least it had to be users who had provided Google with a phone number, so it can’t have been a randomly selected sample. (The earlier study from 2019 looked at 1.2 million Google users who had voluntarily opted in to multifactor authentication.)
The 2019 study also provided a much more granular breakdown of the types of different second factors used by those people and how effective each one was. It’s not clear how many of the 150 million users who were auto-enrolled were using SMS verification versus on-device prompts or other second factors like security keys. One possible explanation for the lower success rate in 2021 is that more of the users were relying on the less secure SMS-based verification system. We’ve known for years that SMS authentication is less secure than many other forms of two-factor authentication because of the potential for adversaries to do SIM swapping and intercept text messages with authentication cards by stealing victims’ mobile phone numbers. But even if all of the 150 million people Google auto-enrolled in two-step verification in 2021 were using SMS messages for their second step, that should still have been more successful than just blocking compromises 50 percent of the time, based on the 2019 estimates.
Another important difference is that the 2019 study looked at 350,000 real-world hijacking attempts that were blocked by multifactor authentication. The more recent numbers appear to compare the number of compromised accounts before and after the auto-enrollment in the multifactor program, rather than looking at how many attacks were actually prevented in real time. So it’s possible that the number of account hijacking attempts increased enormously in 2021 and the reduction in compromised accounts was comparatively smaller during that period.
But it’s also possible—and this is why it’s so important to be constantly re-evaluating even the security measures that have been most widely adopted and highly regarded by experts—that multifactor authentication isn’t as effective as it used to be. This could be because attackers are getting better at leveraging techniques that circumvent multifactor authentication, for instance by intercepting the verification codes and messages through stolen text messages, or by stealing cookies from users’ browsers after they have already completed their verification. When you successfully authenticate to a website, whether using one factor or several, your browser typically stores a session ID for that interaction with the website in a browser cookie. If a hacker is able to steal that session ID from your browser and mimic your cookie, then they may be able to trick the website into believing that they’ve already authenticated, thereby bypassing the multi-factor authentication protections altogether. In January, CrowdStrike noted that Russian intelligence had been making increasing use of these types of attacks to get around multifactor authentication, for instance.
Even if it is the case that attackers are getting better at bypassing multifactor authentication, that doesn’t mean that it’s not a useful tool or we shouldn’t be using it—we absolutely should. But if its effectiveness has declined as significantly as the latest Google numbers would seem to suggest, then we probably shouldn’t be relying on it quite so heavily. Right now, lots of organizations use it as their primary line of defense against account hijacking. If SIM swapping and cookie theft are on the rise, though, those organizations should also be thinking about prohibiting SMS-based two-factor authentication and focusing more attention on browser and cookie security.
We often talk about the idea that the cyber threat landscape is constantly evolving as technology changes and attackers discover new ways to infiltrate systems, but it’s still a little startling to be reminded that in the span of just a few years something that had seemed like the gold standard for protecting against certain types of attacks can very quickly start to look like a solution that’s only 50 percent effective.