Last year my Twitter feed became full of stories and retweets about how Google “solved the phishing problem” using hardware multi-factor authentication (MFA) tokens. One such article covering this topic was “Google: Security Keys Neutralized Employee Phishing” by the venerable Brian Krebs. While I have a lot of respect for his work, I have to strongly disagree with the title of his blog post. If you haven’t already read the story, take a moment to familiarize yourself with it. I don’t want to be the one to crush your hopes and dreams, but, frankly, this is untrue.
Before we get too far into this, I want to throw this out there and say that for the sake of this article, I use the term MFA loosely and as a synonym for 2-factor authentication (2FA). I will also mention that I am a fan of MFA and cover some information about MFA in a previous article I wrote for this column, “Credential Phishing – Easy Steps to Stymie Hackers”; however, it is not the cure for everything as some people seem to think. In my years doing sysadmin and information security work for the US Army and in the private sector, I have learned to appreciate the great things that MFA can do to secure systems and communications, something I have even covered in previous articles in this very column. I have also learned that it has its limitations as well. I want to go on record saying this, MFA does not solve the phishing epidemic.