Not ready for passkeys? Multi-factor authentication is still better than nothing

Access keys are currently the authentication tool of choice for security professionals, but any type of account protection is better than nothing, says Eric Skinner, vice president of strategy at Trend Micro. Yes, even multi-factor authentication (MFA) via SMS.

“SMS-based MFA is relatively simple and almost everyone has a phone,” Skinner told me at the RSA conference in San Francisco. And although it is “technically hackable” thanks to SIM swapping schemes, “security officials may overreact.”

He pointed out that SIM swapping requires focusing on a specific victim and launching a social engineering attack against the operator. “It takes effort.”

“Fortunately, new technology is gaining ground,” Skinner said. “My message is: Use passkeys wherever they are available. Companies haven’t adopted them, but consumers have the option.”

Access keys are FIDO2 compatible, which means they can use common devices to authenticate and are more convenient than hardware security keys.

Attacker in the middle

As for what passkeys and MFA protect against, Skinner pointed to an increase in so-called “attacker in the middle” attacks. “It doesn’t require any skills. The code is published and downloadable from GitHub,” he said. “You can get kits.”

In 2018, we covered an early version of the attack, which begins with a phishing email. Now, thanks to generative AI, “attackers are able to write much better emails” that convince people to click and connect, Skinner said. “They can be perfect.”

When the fake website receives the user’s credentials, it transmits them to the real site. This outputs the MFA message as text, as usual. But when the victim enters the code, the attacker captures it and uses it to log in. Skinner confirmed that this would also work with an authenticator app or even a physical token displaying a changing code.

I asked how the fake website could evade Trend Micro’s antivirus or a similar product, and Skinner replied that the fake version was running on a server somewhere, with no presence on your local computer. “We are tired of seeing people get caught out by these attacks,” Skinner said.

To avoid getting caught in this trap, we have explanations on how to set up passwords on your Amazon, Apple, and Google accounts.