Why Your Mobile MFA
Strategy is Attracting Cyber
Crime and How to Fix it
We’re at a crisis point for cybersecurity. During the Research by Google, NYU, and UCSD based on 350,000
COVID health crisis, cyberattacks shot up 300%.1 real-world hijacking attempts proved that SMS and mobile
In 2020, ransomware claimed a new victim every 10 authenticators are not very effective in preventing account
seconds,2 and phishing incidents doubled.3 The average takeovers and targeted attacks.5 The research found that a
cost of a data breach broke a 17-year high in 2021, SMS-based one-time password (OTP) only blocked 76% of
ringing up at a whopping $4.24M.4 targeted attacks and a push app only blocked 90%. That’s
a 10% penetration rate at minimum. With this approach, it’s
Despite the growing tide and sophistication of
not a matter of if you will be attacked—it’s a matter of when.
cyber attacks, many organizations continue to use
legacy multi-factor authentication (MFA) methods
like usernames and passwords, and mobile-based Account takeover risk by security type
authenticators, to secure access to critical and sensitive
applications and data. Across these organizations, the
Security key
(YubiKey) 0%
results are unexpected: attacks that penetrate their
defenses, and employees who are frustrated. On device prompt 10%
(OTP push app)
Why mobile authentication puts your
organization at risk Secondary email 21%
While any form of MFA offers better security than legacy
username and password based authentication, not all SMS code 24%
forms of MFA are created equal. In fact, mobile-based
MFA such as SMS, OTP, and push notifications are Phone number 50%
highly susceptible to phishing attacks, man-in-the-
middle (MiTM) attacks, malware, SIM swapping, and
account takeovers.
On top of weaker security, mobile authenticators also
The convenience and ubiquity of mobile devices is exactly don’t offer an easy user experience. When mobile-based
what makes them so phishable. In mobile-based MFA, authentication such as SMS and OTP are used for two-
there’s no guarantee that the private key ends up on a factor (2FA) or MFA, employees are required to wait for and
secure element on the mobile device. Mobile devices enter codes delivered by SMS or authenticator apps. And,
have a large attack surface across apps, communication, all of this depends on the availability of cellular connectivity,
operating systems, and secure element technology. Today’s the phone being sufficiently charged, and other nuances
hackers increasingly hijack OTP and push notifications that can affect the user experience. This adds to the time
through interception or phishing, with the attacker and and complexity of authentication and reduces employee
account takeover all but invisible to the user. productivity, all while leaving the organization exposed.
1
Rachel England, FBI Sees Cybercrime Reports Increase Fourfold During COVID-19 Outbreak, (April 20, 2020), https://www.entrepreneur.com/article/349509
2
Phil Muncaster, One Ransomware Victim Every 10 Seconds in 2020, (February 25, 2021), https://www.infosecurity-magazine.com/news/one-ransomware-victim-every-10/
3
Internet Crime Complaint Center, 2020 Internet Crime Report, (March 17, 2021), https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
4
IBM Security, Cost of a Data Breach Report, (July 28. 2021), https://www.ibm.com/security/data-breach
5
Kurt Thomas and Angelika Moscicki, New research: how effective is basic account hygiene at preventing hijacking, (May 17, 2019), https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
�Mobile authentication also creates gaps Organizations also have to account for new and updated
in your MFA framework regulations expected over the next few years, especially
While organizations may prioritize or even mandate in the wake of COVID-19. While mobile authentication
mobile-based MFA, there are almost always edge cases might be considered ‘good enough’ today, it may not meet
of employees that can’t, don’t, or won’t use mobile future MFA compliance standards. A truly future proofed
authentication. Not only can there be low cell coverage security investment should set an organization up well for
in certain geographic areas, employees also may not secure and modern login flows, such as passwordless, as
want to use personal devices for work, or don’t want to well as for long-term regulatory compliance.
allow admin access to their devices. There may also be YubiKeys offer modern phishing-resistant
union restrictions or compliance requirements, and some authentication at scale, and a bridge
employees may not be able to even use a smartphone. to passwordless
If the fall back option is usernames and passwords, this
The YubiKey from Yubico is a hardware security key that
makes the organization even more vulnerable to phishing
is purpose-built for high security and designed to stop
and account takeovers.
phishing and other forms of account takeover in their
As organizations move into the new way of working, tracks, delivering strong authentication at great scale.
where remote and hybrid work is the norm, relying on It’s the only solution proven by independent researchers
perimeter security is no longer effective. Organizations to stop 100% of account takeovers, including bulk and
using mobile-based authenticators today need to targeted phishing attacks.6
reevaluate their long-term MFA strategy and consider
Yubikeys offer a modern strong MFA solution designed to
moving to modern phishing-resistant MFA solutions.
meet organizations’ needs for office workers, privileged
In these scenarios, a hardware security key provides
users, remote or hybrid workforces, mobile restricted
organizations with broad coverage of business scenarios
environments, shared workstations, third party entities/
and user groups while ensuring the best security and
supply chain, and even end customers. A single
user experience.
YubiKey works seamlessly across legacy and modern
Building a secure, long-term MFA strategy systems and applications with multi-protocol support for
In order to make your organization highly phishing SmartCard(PIV), OTP, OpenPGP, FIDO U2F, and FIDO2/
resistant, user accounts should be secured with strong WebAuthn. And, for organizations looking to begin their
2FA or MFA that uses purpose-built hardware security journey to passwordless, the YubiKey offers a bridge from
keys to secure user access with the strongest levels of where organizations are today to a modern passwordless
phishing defense, along with providing the best user future without a rip and replace.
experience. With hardware security keys supporting Set your organization up with a future-proofed security
modern authentication protocols, users can register investment that not only offers strong security but can
one single security key to hundreds of services with help you navigate the evolving compliance landscape.
a unique public/private key pair generated for each The most security conscious and high risk organizations
service. The secrets are never shared between services, in the world trust the YubiKey for strong phishing-resistant
and the private key is stored in the secure element on two-factor, multi-factor, and passwordless authentication.
the hardware key and cannot be exfiltrated. Additionally,
hardware security keys require the user to tap or touch Mobile
YubiKey
a button for authentication to prove user presence. In Authentication
this manner hardware security keys stop remote, MiTM, Phishing resistant –
and phishing attacks, so unlike SMS or any mobile app Always secure –
authentication, only the registered service is allowed to
Cost effective –
initiate the authentication request.
User friendly –
360° coverage –
6
Kurt Thomas and Angelika Moscicki, New research: how effective is basic account hygiene at preventing
Future proof –
hijacking, (May 17, 2019), https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
About Yubico Yubico sets new global standards for easy and secure access to Yubico AB Yubico Inc.
computers, servers, and Internet accounts. Founded in 2007, Yubico is privately Kungsgatan 44 530 Lytton Avenue, Suite 301
held with offices in Australia, Germany, Singapore, Sweden, UK, and USA. 2nd floor Palo Alto, CA 94301 USA
Learn why nine of the top 10 internet brands and millions of users in more than SE-111 35 Stockholm 844-205-6787 (toll free)
160 countries use our technology at www.yubico.com. Sweden 650-285-0088
