How Multi-factor Authentication (MFA) can be Breached


Multi-factor Authentication (MFA) is a must, and there is no doubt it is one, if not, the most important access security recommendations for businesses to implement as it provides a crucial layer to preventing a breach. However, it is not bullet-proof and unfortunately threat actors will always find their way around this layer of security.

How MFA can be compromised?

  1. Phishing – Attackers can use sophisticated phishing techniques to trick users into providing their MFA codes. For example, a user might be redirected to a fake login page where they enter their password and then MFA code, which the threat actor will capture in real time to gain access.
  2. Man-in-the-Middle (MitM) Phishing – Threat actors can use tools which act as a proxy between the user and legitimate service. The tool then intercepts both the password and the MFA token, allowing the threat actor to authenticate.
  3. Vishing –Voice Phishing, where the threat actor may call pretending to be from a legitimate organisation and will manipulate the recipient into revealing their MFA codes.
  4. Man-in-the-Browser (MitB) Attacks – Browser based Malware on the user’s device can intercept and manipulate web traffic, capturing MFA codes as they are entered or automatically submitting those codes to the threat actor.
  5. SIM Swap Attacks – Threat actors can trick or bribe telecom company employees into transferring a victim’s phone number to a SIM card controlled by a threat actor. This allows the threat actor to receive SMS-based MFA codes to gain access to known accounts.
  6. Credential Stuffing – In a small majority of cases, if MFA tokens are reused or predictable, the threat actor will exploit this by using stolen credentials from data breaches to attempt access and leverage weak MFA implementations.
  7. MFA Bombing – Threat actors can repeatedly send MFA requests to a user’s device, hoping that they will eventually accept one of the codes out of frustration or confusion.
  8. Exploitation of Weak MFA methods – SMS and Email based MFA are considered weak forms of MFA simply because SMA can be intercepted and email accounts can be compromised, thus giving threat actors access to MFA codes.
  9. Brute forcing MFA codes – If MFA is not set to lock out after multiple failed attempts, the threat actor will simply brute force the code.
  10. Token Theft – Threat actors can steal token session tokens or cookies from a compromised device to bypass MFA.
  11. Software Bugs and Vulnerabilities – Vulnerabilities in the MFA implementation or the application itself can be exploited by the threat actor to bypass MFA.
  12. Compromised MFA Providers – If the MFA provider is compromised although extremely rare, threat actors can gain access to MFA codes and authentication data.

 

Mitigation Strategies

Here are some ways to help protect against these various forms of attacks, but not limited to:

  • Security Awareness Training for users, so they are well educated in spotting suspicious emails and code requests, especially when the request is received at a time when the user is not attempting to access the service.
  • Where possible, use stronger MFA methods, such as app-based authenticators, biometric factors, or hardware tokens over SMS or email-based MFA. Although some services will only use the latter methods.
  • Conditional access policies to restrict the ways to login to applications such as Office 365, including the location of sign in attempts, session time limits etc.
  • Only allow logins from trusted devices, which goes hand in hand with the above.
  • As always, ensure systems and MFA solutions are kept updated to protect against vulnerabilities.
  • Deploy endpoint protection, network monitoring and threat intelligence to monitor unusual activity and patterns for MFA requests and to bolster overall security.

 

To summarise

Whilst MFA is one of the best and most effective ways to help enhance your security posture, understanding the various compromise methods and implementing further layers of defences all help to reduce these types of attacks.

 

Blog

ESSENTIAL SECURITY PRACTICES FOR REMOTE WORKERS

31 October 2024

Remote work has become increasingly common and has redefined the modern workplace. With this flexibility comes a new set of challenges - Cybersecurity threats. Implement these 12 practices to enhance security measures...

Learn more
Blog

ENHANCING YOUR EMAIL SECURITY

31 October 2024

Enhancing your email security is essential to protecting personal and sensitive information. Emails are a common target for phishing, malware and other cyber threats. Consider the following key practices to enhance your email security...

Learn more
Blog

STRATEGIES FOR TACKLING "TECHNICAL DEBT" IN YOUR COMPANY

31 October 2024

"Technical debt" refers to the interest paid on a loan you never intended to take. As your infrastructure grows, these hasty decisions can prove increasingly costly down the line. Here are some strategies you can employ to overcome these challenges...

Learn more