While multifactor authentication has historically been hailed as one of the most significant forms of defense against attacks that leverage compromised credentials, the reality is far from it. MFA attacks are in fact gaining popularity—in the first 90 days of 2022, researchers noted a staggering 113 million attacks against MFA, which is much higher than anything that has ever been recorded.
The truth is, like any other cybersecurity technology, MFA tools are prone to hacking. Every time MFA technologies evolve and become stronger, attackers figure out new methods to circumvent their security. Let’s look at some recent methods attackers use to subvert MFA.
1. Fatigue Attacks
MFA fatigue (a.k.a. MFA spamming) is one of the most simple, yet highly effective attack techniques used by attackers in recent high-profile breaches (such as Uber, Microsoft and Cisco). The way these attacks work is that an attacker floods an endless stream of MFA push requests onto the victim’s mobile device, inflicting a kind of “fatigue” on these login notifications. Eventually, the recipient of these push requests ends up accepting one of these bogus requests as a means to silence them, enabling the threat actor to breach the target environment.
2. Bypass Attacks
Researchers have discovered a number of MFA bypass phishing kits that are becoming increasingly popular and are easily downloadable from dark web marketplaces. These phishing kits use a transparent reverse proxy (TRP) mechanism to fool the victim into thinking that they are logging into a legitimate website. Such attacks are also known as adversary-in-the-middle (AiTM) which basically means the adversary sits between the victim’s device and the website they are trying to access, recording all traffic and interactions, including two-factor authentication codes. Around 10,000 Microsoft customers were recently impacted by an AiTM phishing campaign.
3. Attacks Using Social Engineering
Attackers frequently leverage a range of social engineering tactics to convince users into giving up their credentials and two-factor codes. Sometimes they will send a text message and ask users to verify their identity; sometimes they will impersonate a technical support person and call the victim (i.e. vishing), sometimes they will transfer the victim’s SIM information to another phone (using SIM swapping) to intercept any codes sent by text-based MFA.
4. Dormant and Inactive Accounts
Some large enterprises have hundreds and thousands of users, contractors, suppliers, etc., making it extremely difficult to keep track of so many user accounts. Hackers are known to leverage these dormant accounts to exploit the self-enrollment process of MFA devices. Since there is no additional verification needed for enrollment, attackers can enroll their devices and gain access to those accounts, provided they know the username and password and are the first person to enroll.
How Organizations Can Protect Themselves
MFA technology only makes sense if it can be made resilient to bypassing, hacking or social engineering. Below are some best practices to keep in mind:
- Use Phishing-Resistant MFA: The U.S. government is already directing all federal agencies to use “phishing-resistant” MFA. Phishing-resistant MFA is based on the FIDO2 framework that uses fingerprint readers, cameras and other hardware-level security checks (instead of text-based or push-based MFA) to authenticate users. Since credentials don’t leave the user’s device or are not stored anywhere, it reduces the risk of phishing and credential theft to a great extent.
- Train Users To Recognize MFA Attacks: One of the biggest root causes of MFA attacks is phishing and social engineering. Attackers exploit human weaknesses (distraction, carelessness, biases, judgment errors, negligence, etc.) to overcome MFA defenses. Employees must be educated on the strengths and weaknesses of MFA, trained to identify and report suspicious activity and instructed to be particularly careful with push notifications. Furthermore, they should always be using a password manager to generate long and unique passwords that are impossible to guess or be brute-forced.
- Make Existing Solutions More Resilient: In situations where deploying phishing-resistant MFA is not an option, there are a number of things organizations can do to bolster MFA security. This can include adding more context to user logins such as device name, ID, location, etc. (so that users can take a much more informed decision when approving MFA requests), binding MFA devices to specific URLs, devices and hosts (this can help stop AiTM attacks) and ensuring that the MFA solution is built using NIST-approved (or FIPS-validated) cryptography. It’s also critical that organizations make their credential reset, device enrollment and MFA recovery processes rigorous so that it’s not easy for attackers to exploit them. Finally, anything like a security token, a seed value or a session cookie should be set up to expire quickly, rather than leaving it active for more than 24 hours.
Cybersecurity will always be vulnerable to phishing and social engineering regardless of how watertight it is. Train employees well and sharpen their cybersecurity instincts so that they are not tricked by an adversary that is disguised as an MFA request.