At Mantra, we are often asked by our customers what our opinion of Multi-Factor Authentication (MFA) is and how hackers can eventually beat it. Broadly speaking, MFA is definitely a must-have. But it is certainly not a silver bullet against phishing attacks, as hackers have adapted strategies and can defeat it at-scale. 

Let’s first define what MFA is. MFA, which is supplied by a limited number of providers (such as Microsoft Authenticator, Duo, Google Authenticator, Okta, etc.) works by requiring that users provide two or more pieces of evidence to access a service (as opposed to a basic email/password combo). The most common MFA is two-factor authentication (2FA) where the user is asked to provide a second element. This element is often a code sent by SMS or validation of a push notification.

Using MFA is a best practice to secure access to sensitive sites and apps. However, it should not lead to a false sense of security: hackers have adapted and can now bypass MFA with relative ease and at-scale. This article will explore some of the ways attackers have exposed vulnerabilities in MFA by discussing : 

  1. How hackers can successfully beat MFA 
  2. Solutions hackers use to simply avoid MFA

1. BEATING MFA 

Man-in-the-middle attacks (MITM)

MITM attacks trick the user into believing he is connecting to a real website when he is in fact providing his credentials to a fake, lookalike site. The trigger to the connection to the fake login is very often the result of spear-phishing campaigns. MITM attacks can bypass MFA protections because the credentials entered in the fake site are passed on automatically by the hackers into the real one. Any MFA authentication request will also unwittingly be passed on to the hackers.   

  • “2FA Pass-On”: In this example, a user falls prey to a phishing attack and enters his credentials in a fake login page. The hackers will duplicate this (automatically or manually) in the real website, triggering an MFA request (such as a one-time code or a push notification). If the user also enters this code or confirms the push, he will provide the hackers with the information or access they need to use his account.
  • “Session Token Stealing”: more worryingly, hackers conduct attacks that target the access tokens generated when a user connects to an app. These MITM attacks can be performed at-scale and are not “a capability reserved to the big sophisticated actors” (C. Guarnieri, technologist at Amnesty International). Hackers can indeed use off-the-shelf tools (such as Evilginx, which allows hackers to easily replicate web pages) which increases the ease and efficiency of their attacks.
    With these tools, the attack also starts with a phishing email and an exact copy of the legitimate log in page. As shown in the illustration below, credentials entered are automatically replicated, as well as any 2FA method. The end result is that the user is logged on but his access token is stolen, granting hackers access. 
Man-in-the-middle attack

Obtaining one-time codes sent via SMS

A number of MFA rely on SMS-based second authentication by sending a one-time code by SMS to verify the log in. The issue with this is that there are multiple ways for hackers to bypass SMS-based MFA.

  • Social Engineering: The most common way is to rely on social-engineering to acquire the code. Hackers will log on using the target’s credentials (previously acquired), prompting the SMS code to be sent out. They will then send out a specifically tailored message of their own to obtain the code. For example, the message will indicate that there is a safety check ongoing and that the user should reply with the code received moments before. These types of messages can have as high as a 50% success rate. Once the hackers have received the code, they can finish logging on.
  • SIM swapping: Another way for hackers to exploit SMS weaknesses is via SIM swapping. This technique relies on tricking (using phishing and social engineering techniques) the phone company into porting the target’s phone number to a different SIM card (one the hackers) and that way allowing hackers to receive the SMS communications instead of the legitimate user. 

MFA vulnerabilities that can be exploited

Like all software, MFA has vulnerabilities that can be exploited.

  • Software deficiencies: All software has bugs and weaknesses, and MFA is no different. Most MFA solutions have had exploits published which temporarily exposed opportunities for hacking (eg. a red team research team recently exposed a vulnerability with a 2FA provider that allowed the hackers to receive the 2FA push notifications instead of the user).
  • Recovery settings : Another vulnerability that MFA shares with other software relates to recovery settings. People forget their passwords, or accesses have to be set-up or modified regularly. While MFA can provide a high degree of security, the back-up procedures in place are often much less safe. For example, a common recovery method is sending an email link to a secondary email address (or an SMS with a link), as illustrated below. Should this back-up address or phone be compromised, this will result in hackers gaining access to their target. The use of recovery questions such as a pet’s name or a favorite football team to secure a recovery event has also been proven to be notoriously vulnerable to social media scouting or plain guessing.

2. AVOIDING MFA

While hackers have been effective at finding ways to straight up beat MFA protections, they have also found ways around them, highlighting that relying on MFA is no guarantee against hacking. 

Endpoint compromission

The successful installation of malware on an endpoint device will obviously result in a vulnerability, in spite of MFA. It will enable hackers to create shadow sessions following successful logins, steal and use session cookies, or access additional resources.  Many systems allow users to remain logged on after an initial authentication (by generating a cookie or session token), so malware recuperating these elements can grant hackers access for a significant period of time.

The most common ways in which malware is installed on a device (computer or mobile) is through spear phishing attacks, drive-by download attacks or weaknesses related to unpatched software. A successful attack of this kind negates MFA protection.

 Consent phishing

The use of cloud-based SaaS solutions has given rise to consent phishing attacks. These attacks differ from traditional phishing attacks. Instead of focusing on gathering credentials or information, the hackers’ goal is to trick the target into granting permissions to a malicious third-party application. It is likely that attacks of this type will increase in frequency in the  future. 

For example, targets are sent a phishing link to a legitimate Office 365 login page. The purpose of this sign-on request is not to gather the target’s credentials, but for the target to grant access, read/write authorizations and even offline access to the hackers. MFA is completely bypassed since the target is, unwittingly, granting these permissions.

Relying on weaknesses of SSO set-up

Single Sign-on (SSO) is often implemented to provide convenience to users who only need to authenticate once. However, if poorly designed, this can allow hackers to bypass MFA protections on a site that shares a SSO system with another site that does not require MFA. In this case, successfully logging in to this second site would enable hackers to access the first one through SSO.

A more sophisticated attack that relies on similar principles is the so-called Golden SAML attack that was used in the 2020 SolarWinds attack. SAML is a method for exchanging authentication between multiple parties that is used to make SSO work. In these attacks, hackers, having previously gained a foothold in the network and privilege through conventional techniques, can gain access to the certificates used to sign SAML objects. With these, they can impersonate any user they wish, with the access they choose, and access all SSO resources.  

Mitigation strategies

MFA is of course a must-have and should be relied upon to protect access to sensitive sites and apps. It is powerful against basic attacks, including mass phishing attacks, and protects very well against credentials reuse. Deploying best-in-class options such as implementing device management solutions, and ideally using U2F security keys will go a long way against most credentials attacks.

Sure, MFA is great. But hackers have also upped their game and adapted. They have now incorporated MFA in their strategies, and come up with multiple innovative workarounds. Not to mention that compromised devices allow hackers to purely and simply bypass MFA, even with U2F implemented.

Reliance on MFA should therefore not generate a false sense of confidence in an organization. It cannot be a substitute for maintaining vigilance and developing a cybersecurity culture.