November 2022

When it comes to writing custom tooling for engagements, the motivations associated with it often vary. At a high level, as a consultancy, having the capabilities to produce allows us to offer a niche but more realistic engagement. We can emulate the adversaries who target similar businesses in the same industry – ultimately giving the client a better assessment of their overall security posture through a profound offence against their various defensive capabilities.

Multi-Factor Authentication (MFA) has been widely adopted over the years as a means to enhance the security of authentication processes for all sorts of systems. It has somewhat become a must-have security control in order for organisations to claim that their systems have a withstanding security posture. This is especially true for organisations willing to be compliant with information security specifications, such as ISO 27001 and Cyber Essentials.

However, it has been demonstrated time and again that even when MFA is put in place, it can be circumvented. The recent attack on Uber is a rather convincing example of this. The attack itself is not the topic of this post, but it serves as an incentive to remind ourselves that an authentication process that mandates MFA from its’ users is not impenetrable.

In this blog post, we will be comparing the most common and prominent MFA methods with a focus on their usage within organisations’ internal infrastructure, as that is where the impact can be menacing.