At Mantra, we are often asked by our customers what our opinion of Multi-Factor Authentication (MFA) is and how hackers can eventually beat it. Broadly speaking, MFA is definitely a must-have. But it is certainly not a silver bullet against phishing attacks, as hackers have adapted strategies and can defeat it at-scale.
Let’s first define what MFA is. MFA, which is supplied by a limited number of providers (such as Microsoft Authenticator, Duo, Google Authenticator, Okta, etc.) works by requiring that users provide two or more pieces of evidence to access a service (as opposed to a basic email/password combo). The most common MFA is two-factor authentication (2FA) where the user is asked to provide a second element. This element is often a code sent by SMS or validation of a push notification.
Using MFA is a best practice to secure access to sensitive sites and apps. However, it should not lead to a false sense of security: hackers have adapted and can now bypass MFA with relative ease and at-scale. This article will explore some of the ways attackers have exposed vulnerabilities in MFA by discussing :
MITM attacks trick the user into believing he is connecting to a real website when he is in fact providing his credentials to a fake, lookalike site. The trigger to the connection to the fake login is very often the result of spear-phishing campaigns. MITM attacks can bypass MFA protections because the credentials entered in the fake site are passed on automatically by the hackers into the real one. Any MFA authentication request will also unwittingly be passed on to the hackers.
A number of MFA rely on SMS-based second authentication by sending a one-time code by SMS to verify the log in. The issue with this is that there are multiple ways for hackers to bypass SMS-based MFA.
Like all software, MFA has vulnerabilities that can be exploited.
While hackers have been effective at finding ways to straight up beat MFA protections, they have also found ways around them, highlighting that relying on MFA is no guarantee against hacking.
The successful installation of malware on an endpoint device will obviously result in a vulnerability, in spite of MFA. It will enable hackers to create shadow sessions following successful logins, steal and use session cookies, or access additional resources. Many systems allow users to remain logged on after an initial authentication (by generating a cookie or session token), so malware recuperating these elements can grant hackers access for a significant period of time.
The most common ways in which malware is installed on a device (computer or mobile) is through spear phishing attacks, drive-by download attacks or weaknesses related to unpatched software. A successful attack of this kind negates MFA protection.
The use of cloud-based SaaS solutions has given rise to consent phishing attacks. These attacks differ from traditional phishing attacks. Instead of focusing on gathering credentials or information, the hackers’ goal is to trick the target into granting permissions to a malicious third-party application. It is likely that attacks of this type will increase in frequency in the future.
For example, targets are sent a phishing link to a legitimate Office 365 login page. The purpose of this sign-on request is not to gather the target’s credentials, but for the target to grant access, read/write authorizations and even offline access to the hackers. MFA is completely bypassed since the target is, unwittingly, granting these permissions.
Single Sign-on (SSO) is often implemented to provide convenience to users who only need to authenticate once. However, if poorly designed, this can allow hackers to bypass MFA protections on a site that shares a SSO system with another site that does not require MFA. In this case, successfully logging in to this second site would enable hackers to access the first one through SSO.
A more sophisticated attack that relies on similar principles is the so-called Golden SAML attack that was used in the 2020 SolarWinds attack. SAML is a method for exchanging authentication between multiple parties that is used to make SSO work. In these attacks, hackers, having previously gained a foothold in the network and privilege through conventional techniques, can gain access to the certificates used to sign SAML objects. With these, they can impersonate any user they wish, with the access they choose, and access all SSO resources.
MFA is of course a must-have and should be relied upon to protect access to sensitive sites and apps. It is powerful against basic attacks, including mass phishing attacks, and protects very well against credentials reuse. Deploying best-in-class options such as implementing device management solutions, and ideally using U2F security keys will go a long way against most credentials attacks.
Sure, MFA is great. But hackers have also upped their game and adapted. They have now incorporated MFA in their strategies, and come up with multiple innovative workarounds. Not to mention that compromised devices allow hackers to purely and simply bypass MFA, even with U2F implemented.
Reliance on MFA should therefore not generate a false sense of confidence in an organization. It cannot be a substitute for maintaining vigilance and developing a cybersecurity culture.
Our reasoning about the best format for your cybersecurity awareness program