MFA Without FIDO2 Falls Short

October 3, 2023

Why MFA without FIDO2 falls short in modern security. Learn why FIDO2 is crucial for robust multi-factor authentication.

Once upon a time, MFA gave security professionals that warm and fuzzy feeling of knowing user accounts were secure. However, attackers have found workarounds to this protection.

FIDO2 protocols eliminate this weakness by replacing passwords with hardware backed cryptographic keys on the device. We need to actively nudge end-users to enroll in these stronger forms of MFA.

1. Credential Stuffing Attacks

As more and more data breaches occur, cybercriminals have a virtually endless supply of stolen credentials to attempt logins on. This enables them to use a process known as credential stuffing attacks to gain access to websites and apps. Then, they can either take over the account for monetary gain or sell the account to another criminal in the underground hacker marketplace.

Credential stuffing attacks are difficult to prevent because even a strong password is not enough to fend them off. Captcha challenges and two-factor authentication (2FA) are also useless against them because cybercriminals can bypass these measures by employing automated software to enumerate valid usernames and passwords.

The most reliable way to thwart this type of attack is multi-factor authentication (MFA), which requires that users validate logins through a secondary method like a phone number or security question, or a device that is unique to the user. While this does not stop every attack, it is a crucial step in the fight against credential stuffing.

In addition to MFA, you should also consider implementing other methods for defending against credential stuffing attacks. These can include deploying advanced web application firewalls (WAFs), leveraging behavior-based threat detection solutions, blocking known malicious IP addresses, monitoring server logs for suspicious activity, using DDoS protection, and more.

FIDO2 protocols are an excellent tool for preventing credential stuffing because they rely on public-key cryptography to verify logins, which makes them untargetable by cybercriminals that use leaked passwords. As an added bonus, they also remove the need for shared secrets such as passwords or OTPs that can be compromised by hackers.

FIDO2’s use of public-key cryptography also makes it impossible for attackers to execute man-in-the-middle or phishing attacks that are vulnerable to keylogging and other forms of tampering. Learn more about how FIDO2 can help you protect against these types of attacks by downloading our free whitepaper, Using FIDO2 to Reduce Reliance on Passwords. You can also watch this short video to see how FIDO2 works and why it is an important component of a comprehensive cybersecurity strategy.

2. Phishing Attacks

Phishing attacks are a major threat to online security. They trick users into clicking on malicious links and download malware to their device. This malware can then steal credentials and other sensitive information such as credit card details. The attacks often appear to come from trusted sources such as banks, the NHS, and courier services. To protect against phishing attacks, staff should be on high alert for suspicious emails and train themselves to identify a phishing attack. They should also be encouraged to report suspected phishing attacks to the proper security staff.

To protect against phishing attacks, organizations should consider deploying phishing-resistant MFA. These MFA methods offer immunity against phishing attacks that may otherwise compromise the authentication process. One such MFA method is the FIDO2 standard, which replaces password-only logins with strong multi-factor authentication using a hardware authenticator. It’s easy for websites to enable FIDO2 with a simple JavaScript API call supported across leading browsers and platforms on billions of devices consumers use every day.

Unlike other MFA methods that rely on a user’s machine transmitting a password to the server for authentication, FIDO2 uses asymmetric public key cryptography and requires the private key to be present on the users’ device such as a mobile phone or secure module in a FIDO2 token. This approach minimizes attack surfaces and eliminates the need for shared secrets, which are a common source of security breaches.

Another way to help prevent phishing attacks is to implement MFA that supports the DMARC standard, which requires senders to include information in their email headers that identifies the domain from which the message originates. This allows organisations to track when their servers are being used in a phishing attack, and take steps to mitigate the risk.

Finally, it’s important for organisations to nudge their end-users into using MFA on all services and apps they use. This is similar to how cars nudge you into buckling up when you start driving. This can be done by offering MFA as the default on all new apps and services and then notifying users when they’ve logged in without it.

3. Malware Attacks

Malware attacks are a common attack vector that has a variety of objectives. These range from simply corrupting critical system files on a single device, to launching large-scale distributed denial of service (DDOS) attacks. One of the more dangerous goals is to extort ransom in the form of cryptocurrency. The recent ransomware attacks against Colonial Pipeline, JBS Foods, and Kaseya are just a few examples of these threats.

These attacks typically come in the form of malicious emails. These are often disguised as being from a legitimate source such as your bank or even a friend. They can also include attachments that contain links to malware infected websites or drive-by downloads. The problem is that passwords don’t offer enough protection against these attacks. Even the most complex passwords are vulnerable to these attacks if they’re guessed or stolen from a compromised computer. This is why it’s so important to always use strong MFA and a password manager like YubiKey.

Passwordless authentication using FIDO2 can eliminate many types of malware attacks. Unlike SMS based MFA, the FIDO2 protocol uses public key cryptography to protect against phishing, session hijacking, man-in-the-middle, and malware attacks. Since the password or OTP is never sent to the server, a hacker would need to gain access to a device with that same public key in order to get a valid login. Moreover, FIDO2 authentication protocols are designed to be compatible with existing devices, including phones and computers and have multiple communication methods.

The FIDO2 standard also offers step up authentication allowing users to authenticate with hardware MFA, which is a much stronger alternative to passwords. This allows staff to securely sign in to services with a combination of a mobile phone or other FIDO2 security token, and an NHS password. This reduces user error, as well as removing the requirement to remember yet another password. This is all made possible with open standards that provide flexibility and product choice to NHS staff.

FIDO2 authentication can be deployed on existing devices with minimal effort. Unlike MFA solutions that require the installation of apps or software, FIDO2 is easy to implement for IT and end users. Whether it’s a smartphone or a USB-based security token, staff can be empowered to self-register their FIDO2 devices in the NHSmail portal. This means that they don’t have to rely on an IT support team to do this for them.

4. Network Attacks

With phishing attacks getting more sophisticated, attackers are trying to gain access to MFA information like passwords and OTP codes. To do this, they are targeting users via email, text messages and instant messengers to trick them into sharing sign-in credentials or MFA verification codes. Once they have this data, they can take over a user’s session and ultimately steal sensitive information from them.

Phishing is one of the most common forms of attack and can result in significant losses for businesses as well as individuals. According to Microsoft, implementing MFA with FIDO2 can reduce the risk of such attacks. FIDO2 replaces passwords with strong, hardware-based authentication using public key cryptography to provide greater protection against phishing, man-in-the-middle and other attacks that target shared secrets such as passwords.

FIDO2 uses different methods to prevent phishing attacks including a protocol called Verifier Impersonation to validate that the device is genuine and has been enrolled into the authenticator app. This can help to protect against the recently-documented ‘device registration’ phishing attack that allows attackers to spoof their way past MFA security implementations based on device compliance (like those in Azure AD and Intune) by registering a fake compliant device with those services and then use it to login.

The FIDO2 protocol also uses strong encryption and does not share any secrets between authenticators. This makes phishing and other types of attacks that rely on gaining access to the secret much more difficult, since they would need to capture and replay the FIDO2 security token in order to obtain the verification code.

The new FIDO2 standard has been developed by the FIDO Alliance, an industry body consisting of leading organisations such as Amazon, Google, Microsoft and RSA. It’s an open authentication standard that can be implemented on billions of devices worldwide. Websites can enable FIDO2 with a simple JavaScript API call and it’s supported by the most popular browsers and platforms on the devices consumers use every day. As a passwordless alternative to the current system, FIDO2 has the potential to transform the world of authentication.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Preparing Businesses for AI-Powered Security Threats

Preparing Businesses for AI-Powered Security Threats

Preparing businesses for AI-powered security threats. Stay ahead of evolving cybersecurity challenges with proactive strategies and advanced technologies. When AI goes wrong, the repercussions can be devastating. They range from the loss of life if an AI medical...

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs' risk with data broker management. Explore strategies to enhance cybersecurity and safeguard sensitive information in the digital landscape. Every time you use a search engine, social media app or website, buy something online or even fill out a survey...

Vulnerability Prediction with Machine Learning

Vulnerability Prediction with Machine Learning

Advance vulnerability prediction with machine learning. Explore how AI can enhance proactive cybersecurity measures to mitigate potential risks. Machine learning is a field devoted to understanding and building methods that let machines “learn” – that is, methods that...

Recent Case Studies

Mid-size US based firm working on hardware development and provisioning, used DevOps-as-a-...
One of the fastest growing providers of wealth management solutions partnered to build a m...
A US based software startup working on the advancements in genomics diagnostics and therap...

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us