How Multi-factor Authentication (MFA) can be Breached

How MFA can be compromised?

1. Phishing – Attackers can use sophisticated phishing techniques to trick users into providing their MFA codes. For example, a user might be redirected to a fake login page where they enter their password and then MFA code, which the threat actor will capture in real time to gain access.
2. Man-in-the-Middle (MitM) Phishing – Threat actors can use tools which act as a proxy between the user and legitimate service. The tool then intercepts both the password and the MFA token, allowing the threat actor to authenticate.
3. Vishing –Voice Phishing, where the threat actor may call pretending to be from a legitimate organisation and will manipulate the recipient into revealing their MFA codes.
4. Man-in-the-Browser (MitB) Attacks – Browser based Malware on the user’s device can intercept and manipulate web traffic, capturing MFA codes as they are entered or automatically submitting those codes to the threat actor.
5. SIM Swap Attacks – Threat actors can trick or bribe telecom company employees into transferring a victim’s phone number to a SIM card controlled by a threat actor. This allows the threat actor to receive SMS-based MFA codes to gain access to known accounts.
6. Credential Stuffing – In a small majority of cases, if MFA tokens are reused or predictable, the threat actor will exploit this by using stolen credentials from data breaches to attempt access and leverage weak MFA implementations.
7. MFA Bombing – Threat actors can repeatedly send MFA requests to a user’s device, hoping that they will eventually accept one of the codes out of frustration or confusion.
8. Exploitation of Weak MFA methods – SMS and Email based MFA are considered weak forms of MFA simply because SMA can be intercepted and email accounts can be compromised, thus giving threat actors access to MFA codes.
9. Brute forcing MFA codes – If MFA is not set to lock out after multiple failed attempts, the threat actor will simply brute force the code.
10. Token Theft – Threat actors can steal token session tokens or cookies from a compromised device to bypass MFA.
11. Software Bugs and Vulnerabilities – Vulnerabilities in the MFA implementation or the application itself can be exploited by the threat actor to bypass MFA.
12. Compromised MFA Providers – If the MFA provider is compromised although extremely rare, threat actors can gain access to MFA codes and authentication data.

Mitigation Strategies

Here are some ways to help protect against these various forms of attacks, but not limited to:

• Security Awareness Training for users, so they are well educated in spotting suspicious emails and code requests, especially when the request is received at a time when the user is not attempting to access the service.
• Where possible, use stronger MFA methods, such as app-based authenticators, biometric factors, or hardware tokens over SMS or email-based MFA. Although some services will only use the latter methods.
• Conditional access policies to restrict the ways to login to applications such as Office 365, including the location of sign in attempts, session time limits etc.
• Only allow logins from trusted devices, which goes hand in hand with the above.
• As always, ensure systems and MFA solutions are kept updated to protect against vulnerabilities.
• Deploy endpoint protection, network monitoring and threat intelligence to monitor unusual activity and patterns for MFA requests and to bolster overall security.

To summarise

Whilst MFA is one of the best and most effective ways to help enhance your security posture, understanding the various compromise methods and implementing further layers of defences all help to reduce these types of attacks.

Author

Richard Huggins

Richard joined us in 1997 as an apprentice IT engineer conducting on-site installations of CAD workstations and Microsoft and Novell network environments. After a brief spell away to travel the world, he returned to work on our helpdesk supporting our CAD customers. In 2007, Richard was promoted to Support Services Manager and worked in this role until 2016 when he decided to acquire new skills and widen his IT industry knowledge and left to work as an Operational Manager for one of the UK’s Top 20 leading Information Security companies. In 2019 Richard once again returned to Symetri as Head of Support and Customer Success to further improve the Symetri customer support experience and is now responsible for the IT Solutions division.