Photo: 123RF
A major New Zealand security firm says multi-factor authentication will not necessarily save you - or your company - from cyber attacks, with the method at the heart of some of the most egregious security breaches on both sides of the Tasman.
Multi-factor authentication (MFA) - or two-step authentication - is a method that bolsters security by asking users to log in using two different types of security before allowing access.
For example, logging into a business email could require a regular password plus a second code sent by text to a phone.
In its latest threat report, CyberCX said the global threat landscape had continued to deteriorate, with bad actors evolving their tactics and upping the tempo of attacks.
It coincided with the release of the government's own report into cyber security, which found New Zealand was facing "increasingly complex cyber security threats from both criminals and other countries".
CyberCX said MFA breaches were responsible for three-quarters of the phishing attacks it responded to last year - where hackers attempted to gain access to information, typically financial, via email.
Executive director of digital forensics and incident response Hamish Krebs said any MFA was better than none, but not all MFA was created equal.
He said text message authentication was by far the worst of the MFA options, and the best a hardware security key or token.
Krebs said push notifications on a phone were the most common tactic, with a threat actor pushing an authentication through and a user eventually saying 'yes'.
"That happens all the time. You don't really want to have a situation where your phone is bothering you to allow a multi-factor authentication."
He said his company had seen fake push notifications lead to "very large data breaches".
"Across both sides of the Tasman some of the very biggest ones - the highest profile ones - have happened via an administrator clicking a spurious multi-factor authentication prompt because it's bothered them on their phone.
"Imagine that phone beeps you five, six, seven, eight, nine times and you're in a meeting - eventually you just say, 'accept'. It goes away, but that lets the bad guys in."
CyberCX said financial gain was still the biggest motivation, behind 65 percent of the incidents it responded to last year.
The healthcare sector remained under fire from cyber attacks, making up 17 percent of incidents it responded to - the biggest category.
The financial sector followed on 11 percent.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
