Forum Discussion
Password + Authenticator app MFA notifications vs Passwordless
When relying on the MS Authenticator app (without access to a FIDO2 key) as part of the authentication process, is there any security-based benefit in going from logging in via a password + MFA (via ...
- I encountered several times a phishing attack where:
- The bad guy got the password of the user (through phishing)
- He tries to authenticate. MFA prompt
- But, the user who got the MFA prompt does not think a validate the notification
And it happens a lot 😞
So in your second scenario, the additional security layer is that you ensure that the person with the telephone is the one who trigger the MFA prompt (because of the 2 digits)
I encountered several times a phishing attack where:
- The bad guy got the password of the user (through phishing)
- He tries to authenticate. MFA prompt
- But, the user who got the MFA prompt does not think a validate the notification
And it happens a lot 😞
So in your second scenario, the additional security layer is that you ensure that the person with the telephone is the one who trigger the MFA prompt (because of the 2 digits)
- The bad guy got the password of the user (through phishing)
- He tries to authenticate. MFA prompt
- But, the user who got the MFA prompt does not think a validate the notification
And it happens a lot 😞
So in your second scenario, the additional security layer is that you ensure that the person with the telephone is the one who trigger the MFA prompt (because of the 2 digits)
Thanks, this is exactly what I was looking for. As I'd mentioned in the OP, I'm on board with the move to/benefits of passwordless login, I was just trying to figure out, in that specific scenario, what it was that made the passwordless method more secure; but your explanation cleared it up. Thank you.
