Introduction
In an increasingly digitalised world, implenting MFA as added protection to secure online accounts is more important than ever. MFAs can help individuals and organisations safeguard their sensitive data against common threats such as phishing and credential stuffing. However, even MFAs can be bypassed, so additional measures should be taken to strengthen them.
What is MFA?
MFA is a security control measure that requires users to provide two or more factors of identification before access is granted. This layered approach ensures that even if one factor, like a password, is compromised, additional verification factors are needed before attackers can compromise the account. By implementing MFA, individuals and organisations are able to strengthen their defences against common threats such as phishing and credential stuffing, thereby safeguarding their sensitive data and systems from unauthorised access.
Types of MFA
Factors used in MFA are typically categorised as follows:
- Knowledge Factor (Something You Know): Passwords or passphrases
- Possession Factor (Something You Have): One-time password (OTP) sent to your registered mobile number or from a physical token
- Inherence Factor (Something You Are): Biometric data such as fingerprints or facial recognition
- Location-based Factor (Somewhere You Are): Your current location or the specific network that you are connected to
- Behaviour-based Factor (Something You Do): Pattern recognition or behavioral biometrics used to create a baseline profile to recognise anomalous behaviour. A variety of factors are assessed before access to the system is granted, including the user's typing speed, usage patterns, typical login times and frequency of resource access.
By combining the two or more of the above factors, an MFA implementation is achieved.
Common MFA Bypass Attacks
However, having MFA in place does not make your account impervious to attacks. Attackers have been observed to evade the additional security provided by MFA, through the following common attack methods:
Man-in-the-Middle (MiTM) Attacks
Attackers may position themselves in the middle of the communication between a user and an application to steal sensitive information such as passwords or MFA codes. One common method involves phishing emails, which lure victims into MiTM attacks. These phishing emails typically direct targeted users to a fraudulent login page meticulously designed to impersonate legitimate services familiar to the victims. Unaware of the deception, victims may interact with the fraudulent page, which is connected to the attacker. This enables the attacker to harvest and relay victims' credentials and possibly MFA codes to the legitimate site, gaining unauthorised access to systems and data, while the victim believes they are securely connected to the legitimate service.
The use of open-source tools and frameworks has further amplified the effectiveness of such attacks. These tools streamline the process by automating various stages of the attack, including the crafting of phishing messages, the deploying of necessary infrastructure, and capturing user credentials and session tokens. As a result, even attackers with limited technical expertise can execute sophisticated MiTM attacks and bypass MFA protections, significantly increasing the risk to individuals and organisations.
MFA Fatigue Attack
MFA fatigue attacks are social engineering techniques where attackers exploit human psychology rather than technical vulnerabilities to bypass MFA. These attacks begin with attackers obtaining a victim's login credentials, often through phishing, social engineering, or purchasing them on the dark web. Once they have these credentials, attackers repeatedly trigger MFA push notifications (via sms, biometrics, or app) to the victim's device. The goal is to overwhelm the victim with these constant requests, hoping they will eventually approve one out of frustration, confusion, or a desire to simply silence the notifications. This allows the attacker to gain access to the account or device even with the presence of MFA. This attacks typically exploits poor vigilance from the victim through relentless pressure and manipulation.
Session Hijacking/Cookie Stealing
Session hijacking or cookie stealing occurs when an attacker gains unauthorised access to a user's active session. This is achieved by exploiting vulnerabilities in various attack vectors, including web applications, browsers, servers or network infrastructure. Attackers aim to steal session cookies which are small data packets used by websites to identify and authenticate users. These session cookies are used to provide quality of life (QoL) improvements for the user by storing data that will remain active until the user logs out. An example of a QoL improvement is when a website stores an active login session so the user is not required to log in again from the same machine. If an attacker successfully steals and use this session cookie, the MFA protection can be bypassed.
Authentication Code/Token Theft
Many application-based MFA systems generate a set of backup authentication codes should users forget their password, preventing an account lock-out. These authentication codes are created only once and it is the user's responsibiltiy to store these codes securely. Should these codes be stored in an insecure location or compromised by malware (e.g Infostealer, Remote Access Trojan, etc), it could be exploited by attackers to bypass MFA. This same risk applies to hardware tokens, which, if lost or stored insecurely, can be stolen and used to bypass MFA.
How to Mitigate MFA Bypass Attacks
A layered defence strategy is crucial to effectively counter MFA bypass attacks. This involves a combination of technical controls, user education and proactive security measures. These measures can be implemented at the individual or organisation level and are further detailed below:
For individuals and organisations:
Phishing Resistant MFA
Phishing resistant MFA helps protect against MFA bypass attacks by using public key cryptography to verify user identity and the legitimacy of websites or applications. This eliminates the vulnerabilities of traditional MFA methods like one-time codes and push notifications. This approach, demonstrated via the use of Fast IDentity Online 2 (FIDO2) security keys and passkeys, makes it significantly harder for attackers to bypass MFA through phishing, offering stronger protection against account takeovers and data breaches. By removing the reliance on shared secrets, phishing-resistant MFA provides a more secure and user-friendly authentication experience, especially for those with high-security needs or handling sensitive data.
Use Stronger Authentication Methods
Stronger authentication methods, such as hardware tokens or biometrics, should be chosen over SMS or email codes where possible. It adds complexity for attackers as it shifts the focus from what the user knows to what the user possesses. Moreover, application-based authentication can include location and device information, allowing users to be alerted to illegitimate login attempts. On the contrary, OTP-based authentication via SMS or email can be intercepted or redirected through phishing or social engineering attacks. Additionally, other traditional MFA methods, such as security questions can be guessed or obtained through similar tactics.
For organisations:
Rate Limiting
Rate limiting is an effective security measure against MFA bypass attacks such as fatigue attacks. By controlling the number of authentication attempts a user can make within a specific time frame, rate limiting can potentially negate automated MFA fatigue attacks. Implementing rate limiting would also help analysts identify suspicious activity, such as an unusually high volume of login attempts approaching the specified threshold.
User Training
Educating users is critical in defending against MFA bypass attacks. It begins with raising awareness about the different tactics attackers use to trick victims into divulging MFA codes or credentials. Users should also be trained on best practices for managing their MFA tokens, which includes securing their devices and promptly reporting any lost or stolen tokens. Establishing clear protocols enable users to know when and how to report potential threats. Regular training sessions and simulated phishing campaigns can reinforce these lessons ensuring that security awareness remains a priority.
Logging and monitoring suspicious attempts
Comprehensive logging is essential for detecting and analysing potentially suspicious behaviour or activity. By logging various data points, organisations can gain a centralised view of authentication attempts for analysis. Fields such as username, IP address, device information and geolocation data are important data points to log. Monitoring these logs against a set of predefined rules in a centralised Security Incident and Event Monitoring (SIEM) tool can alert analysts of potential MFA bypass attacks, such as an unusually high number of login attempts or multiple MFA requests within a short time frame from different locations worldwide. Additionally, trends can be extrapolated from the logs to help identify anomalous behaviours.
Conclusion
MFA is a vital security control, but it is not infallible. Nonetheless, having an additional layer of protection such as MFA is better than not implementing it at all. By implementing a multi-layered defence strategy that combines technical controls, user education and proactive security measures, individuals and organisations can significantly reduce the risk of MFA bypass attacks.
References: