Let’s make one thing clear: every organization today should be using multi-factor authentication (MFA) wherever possible.
Even the strongest, most unique password is still just a single form of authentication standing between attackers and business-critical Software as a Service (SaaS) application data. Security measures like MFA can provide an important additional line of defense against adversaries, which is exactly why the U.S. Cybersecurity and Infrastructure Agency (CISA) recommends that MFA is enabled anytime that it’s available.
Still — as CISA points out — not all forms of MFA are created equal, and certain implementations are more secure than others.
Text message MFA via SMS is amongst the weakest options and is susceptible to interception, spoofing, loss of availability and phishing. The forms of MFA that sit “in the middle,” so to speak, are prone to interception and abuse; push notifications can be sent en masse to fatigue users, while one-time password tokens (OTP) can be captured in transit, for example. U2F/WebAuthn hardware security keys and biometric-based forms of authentication, on the other hand, are more secure.
Encouraging users to rely on stronger forms of authentication is only the tip of the iceberg when it comes to promoting better multi-factor security for an organization. There are a number of other settings, from session durations to adaptive access policies, for security teams to consider when tuning their implementations.
Here are some of the techniques that adversaries employ to attempt to bypass MFA measures, as well as guidance on how to prepare and respond to these increasingly common threats.
Attackers can circumvent MFA
Sophisticated attackers are well aware of the vulnerabilities present in weaker MFA implementations and have leveraged a variety of techniques to effectively exploit these gaps. While this is by no means a comprehensive list, the examples below have been particularly notable for their impact in recent newsworthy breaches. Understanding the fundamentals of these attacks can help teams take an adversarial mindset to plan and respond accordingly.
MITM proxy interception
In a man-in-the-middle (MITM) attack, adversaries convince a user to log into their identity provider via infrastructure controlled by the attacker. This typically means bringing the user to a fake login page that closely resembles the real thing. The attacker relays traffic between the end user and the identity provider, capturing login credentials and the session token granted to the user after they provide MFA. This allows the attacker to reuse the same session token as the user to access the SaaS application.
In a MFA fatigue attack, an adversary with compromised user credentials floods a user’s mobile device with an overwhelming number of push notifications prompting them to approve a multi-factor sign-in. The objective here is really quite simple: “fatigue” the user into accepting this request, giving the attacker unfettered access to the identity provider and every connected SaaS application.
Although MFA via SMS is one of the more popular methods of authentication, it’s highly susceptible to a variety of attacks —including a technique known as SIM hijacking. In this scenario, an attacker already privy to some of the victim's personal information uses social engineering to convince a mobile carrier to swap their SIM to a new device. With newfound access to their phone number and associated text messages, the attacker can easily authenticate with a valid MFA code sent directly to their device.
Best practices for MFA
Especially when it comes to combatting some of the malicious techniques explored above, the implementation of MFA on an organizational level is critical. There are several best practices security teams can follow to strengthen their organization's defenses:
- Ensure that MFA is deployed for all accounts in the organization.
- Suggest against or altogether disable weaker MFA methods, opting instead for more secure factors like hardware security keys.
- Explore policies that throttle bulk actions to deter brute force attacks and excessive push notifications associated with MFA fatigue attacks.
- Consider adding administrative review to the enrollment of new MFA devices. A quick double check can make a difference when ensuring the validity of these requests.
A well-built MFA implementation is an incredibly valuable initial line of defense against a majority of malicious attempts against an organization. Still, at the end of the day, it’s important to remember that MFA is exactly that: a strong initial deterrent.
So yes, use MFA wherever possible, but always be conscientious about how it’s implemented, stay vigilant about the techniques that adversaries are employing to get around it, and remember that MFA is good — but it’s not always enough.