When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
CEO and Co-Founder of Valence Security.
For years, MFA has been heralded as the best defense against phishing.
However, its growing adoption has motivated attackers to find new ways to exploit its weaknesses.
One key vulnerability lies in session token abuse.
Failing to address these gaps has significant implications, from operational disruption to potential regulatory fines and reputational damage.
Whats worse, phishing-as-a-service kits like the previously mentioned Rockstar 2FA make this process seamless.
Undetectable campaigns that sidestep MFA without triggering alarms.
These roles often have elevated privileges and access to critical data, making them ideal targets for phishing campaigns.
They rely instead on staticauthenticationmethods, such as API tokens or embedded credentials, which are significantly less secure.
Weve found the ratio of non-human identities to human ones at almost 10-to-1.
Each integration introduces another point of exposure, and poor oversight creates easy openings for intelligent attackers.
Organizations must trust that AI vendors secure their tokens effectively, but this trust is often misplaced.
Attackers frequently target these third-party tokens to bypass MFA protections, exploiting the trust users place in vendors.
Admins, focused on immediate business needs, may disable security configurations temporarily to resolve workflow bottlenecks.
The challenge lies in scale.
Each SaaS platform defines MFA and security controls differently, requiring deep expertise to manage configurations effectively.
Without centralized oversight, organizations lose visibility into their security posture, creating opportunities for breaches.
Continuously audit configurations to detect drift from secure states.
Prioritize training and awareness:Educate employees and administrators to recognize phishing attempts and avoid risky configurations.
rain business teams to prioritize security and avoid temporary workarounds that compromise long-term defenses.
The adoption of AI and SaaS is inevitable, but so are the threats they introduce.
To stay ahead, businesses must recognize that MFA alone is insufficient.
We’ve featured the best business VPN.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc.
