Phishy

Multi-factor Authentication (MFA) Testing

How MFA protects your network

Multifactor authentication is one of the most effective safeguards available to ensure only legitimate users can log onto your network. It is based on the idea that an attacker might compromise a password, but requiring two or more independent means of confirmation dramatically increases the level of difficulty when they attempt to use it. However, even MFA has its limits.

MFA Phishy takes phishing to the next level

Symantec VIP is a great solution for multi-factor authentication, but we wondered what happen if the system was breached to send authentication requests to real users. As such, we built Phishy to test end users to see if they would approve a fake authentication request.

phishy infographic showing MFA authentication
phishy user console showing a user's stats

MFA can fail in some cases

The effectiveness of MFA depends greatly on the diligence of your team members. Raxis developed MFA Phishy after watching pentest customers blindly click on MFA push confirmation notices purely from habit. That means the most important benefit of MFA – an additional authentication layer – was essentially bypassed.

How MFA Phishy works

MFA Phishy integrates with Symantec VIP when Symantec VIP is used with Microsoft Azure Active Directory. The tool gives administrators the ability to send bogus authentication requests to team members individually or to the entire organization. The security team can monitor the results in real time, view the performance of users over time, and export a CSV report from a given time period.

The user can either deny the MFA request or take no action at all. A user fails their phishing test only if they approve the malicious request. Retest as many people as many times as you’d like. If you’re like most companies we work with, you’ll soon see the failure rate trending toward zero and new employees catching on quickly.

Phishy settings screen

Results are logged to help with training

At a time when nearly 84% of companies have experienced an identity-related breach, it’s more important than ever to know for certain where your weak points are – not to punish team members but, instead, to train them through repeated, random testing. MFA Phishy can help you permanently change your company’s behaviors and enable you to quantify the improvements over time. MFA Phishy currently supports Symantec VIP running on Azure AD, with future support coming for SMS