MFA Fatigue and The Future of Authentication with Jumio's CTO

Roberto Popolizio Roberto Popolizio

​Since the inception of phishing in the mid-1990s, hackers have been victimizing users with social engineering attacks. While technology has changed since then, threat actors have continued to find new ways to exploit human error.

Fast forward a few decades, and today’s threat actors are now right beneath our fingertips, spamming mobile devices with push notifications and sign-in attempts that grant outsiders inside access. The latest trends in phishing scams are proof of that.

Even critical cybersecurity tools like two-factor and multi-factor authentication (MFA) are not as foolproof as we think. Hackers are now able to intercept MFA and use it to break into people’s accounts.

We sat down with Stuart Wells, CTO of Jumio, the leading provider of automated, end-to-end identity proofing, risk signals and compliance solutions, to discuss how threat actors are capitalizing on MFA fatigue, what the future of authentication may look like and what organizations can do to protect themselves.

What’s The Story Behind Jumio, And What Kind Of Cybersecurity Services And Products Do You Offer?

Above all else, the primary mission here at Jumio is to help make the internet a safer place for users by protecting business ecosystems through a unified, end-to-end identity proofing, risk assessment and compliance platform. The Jumio KYX Platform boasts a range of identity proofing services to accurately establish, maintain and reassert trust from the opening stages of account creation all the way to ongoing  monitoring.

Through the likes of advanced technology including AI, biometrics, machine learning, liveness detection and automation, Jumio helps organizations combat fraud and financial crime, verify and onboard good customers more quickly and adhere to regulatory compliance. Jumio has carried out more than one billion transactions across more than 200 countries and territories from real-time web and mobile transactions.

What makes your identity verification technology stand out?

Jumio pioneered the ID-plus-selfie approach to identity verification. Our technology leverages hundreds of millions of domain-specific data points to help inform its AI models and ensure accuracy. While other solution providers rely on academic datasets to develop their AI modeling, we utilize real-world production data to eliminate some of the bias that can exist in off-the-shelf datasets. By using this realistic data, we are able to construct better, more informed, unbiased AI, which consequently leads to faster, more accurate verifications for our customers.

Furthermore, while many organizations rely on a plethora of point solutions to evaluate fraud risk–which creates friction in the onboarding process and can lead to transaction abandonment – Jumio streamlines fraud and eKYC compliance management with a one-stop orchestration hub that brings together global data, risk signals, real-time analytics, actionable insights and a configurable rules engine. This provides greater agility and ease in responding to fraud without compromising the customer experience.

How do hackers exploit MFA fatigue and other MFA attacks to access accounts?

MFA is a tool that a lot of organizations deploy in hopes of bolstering internal security measures, but hackers have concocted a way to exploit this.

The tactic of exploiting MFA fatigue, also referred to as “prompt bombing,” has been around for a while, but is seeing more success now with prominent organizations falling victim to these attacks.

Hackers will essentially spam user accounts with multiple prompts to confirm an individual’s identity through a push notification or another sort of sign-in request. Unsuspecting users are then on the receiving end of a seemingly endless series of SMS alerts, emails or phone calls, which creates this “fatigue” that results in users eventually accepting what is actually a malicious request. From there, the threat actor has access to a user’s accounts and a potential path toward compromising organizational data.

What can be done to prevent MFA attacks?

User education is one of the top priorities for organizations looking to prevent these kinds of attacks. Many people  simply do not understand the full ramifications for both the user and their organization. They need to be alerted that these attacks exist, what they look like, and how to (and how not to) respond.

Think, for example, of how we scroll to the end of license agreements without fully reading what we are agreeing to. These hackers are counting on users to be unaware and unknowingly accept a request that looks harmless. If organizations can explain to people that there are negative, potentially significant consequences to accepting such a request – and that hackers are actively targeting these users – then they can be better equipped to ignore, delete or report a suspicious notification.

In addition to training their employees on cybersecurity best practices, organizations can also consider other verification measures, including passwordless authentication, such as specialized apps and biometrics.

Biometrics are proving more reliable than MFA, but what are the pros and cons of biometric authentication?

As organizations across industries continue to adopt biometric identity verification, the era of passwordless authentication is officially underway. Biometric authentication technology has improved by leaps and bounds in recent years–so much so that it’s now part of many everyday tasks, such as unlocking our phones. But as facial recognition technology has reached near-pinpoint accuracy, fraudsters are responding with their own evolving high-tech techniques.

Whether by face morphs, deepfakes, digital image manipulation or the use of synthetic masks, hackers have engineered workarounds to some of the latest advancements in biometric authentication.

Obviously, this poses a concern for organizations, which is why we’re seeing adoption of more advanced multimodal biometrics. Adding another level of biometric authentication is essentially putting a layer of insulation between businesses and bad actors.

Supplementing facial recognition with an additional biometric, such as one’s voice or even iris detection, provides an added security blanket for organizations looking to verify their users.

Can biometrics be hacked, and what happens if biometric data is stolen?

Biometric data like any data can be stolen if not suitably protected. If stolen, the biometric data can be used to open a bank account or request a credit card and borrow money under the identity of the unfortunate owner of the biometrics.

What do you see in the future of online identity protection? Are hackers evolving faster than authentication technology?

As difficult as it is to predict the future of online identity protection, there are a few things that we know to be true. Over the past several years, there’s been a lot of momentum surrounding data privacy, particularly as consumers and watchdogs note their concerns over the sheer volume of personal data that gets collected and stored.

In the U.S, there have already been privacy regulations implemented at the state level, which have gone a long way toward protecting consumers but also come with a number of compliance issues for businesses operating across different states. With those sorts of mandates gradually taking shape, I think the future of identity protection is bright.

Although hackers will continue searching for whatever loopholes they can get their hands on, we are only going to get smarter about safeguarding users and protecting organizations. We find ourselves on the front lines in the battle of protecting user data, and I’m confident that Jumio can continue serving as an industry leader for identity verification with advanced technology that helps organizations around the world feel more secure about the business they conduct everyday.

About the Author

About the Author

Over a decade spent helping affiliate blogs and cybersecurity companies increase revenue through conversion-focused content marketing and Digital PR linkbuilding.