This is interesting, though I can’t help but think that the second reason at the end of this paragraph is less a technical problem than someone using your own culture against you.
“Hackers always look for the weak link, and they have learned to get around MFA by exploiting gaps in companies’ lost-phone protocols. They do this by calling the IT help desk, saying they are employees who have lost their phone, so they can’t use the MFA app to login, and they have some emergency that requires them to get immediate access to the network. They often claim to be a senior executive, which is effective for two reasons. First, there is often a lot of publicly available information about senior executives, including when they are out of the office at speaking events. Second, senior executives are likely to seem credible when they are yelling at IT help-desk staff asking for login credentials on an emergency basis, impatient with delays or policy-related excuses, and threatening people that they will lose their jobs if the executives don’t get what they want.”
Basically, it’s the culture that is your security weakness. It’s the culture of having senior management, or partners for those of us in the law firm environment, intimidating technical support people. This “hack” doesn’t work if your help desk staff isn’t used to getting these kinds of requests and threats from the higher ups. When it does work, clearly this is the culture you have.
How to fix that?