Recent surveys indicate nearly 74% of organizations plan to increase their spending on multifactor authentication (MFA) initiatives. That’s a good thing, given that about 80% of security breaches are the result of credential theft. MFA adds a few additional layers of credentials to the authentication process, such as device tokens, OTPs (one-time passwords), and/or biometrics. This way, attackers can’t launch an attack simply through hacked passwords. 

Having said that, MFA is not inviolable. You can’t just deploy MFA and walk away. With a few extra tricks and steps, sophisticated threat actors can circumvent MFA. Below are a few common MFA pitfalls attackers can take advantage of:

• Attackers can steal “what you have”

MFA often involves a “what you have” factor, in addition to passwords. For instance, it can be paired with a mobile device or a phone number through which users receive their passcodes. If someone’s device is stolen or the victim of a SIMcloning attack, the attacker may gain access to the other critical piece needed to impersonate the owner and access their personal accounts and work-related apps unabated. The attacker can gain an entry point to corporate networks and move laterally across the network as an authenticated user. 

• MitM (man-in-the-middle) attacks bypass MFA

MitM attacks are those in which malicious actors intercept the victim’s network connection to sniff their data. They can capture the OTP in transit and replay it as-is to authenticate as legitimate users. They can also steal session cookies and hijack a session right after users authenticate themselves via MFA. From there onwards, the attackers enjoy all the privileges of their victims. 

•      Anti-MFA phishing attacks are on the rise

Attackers often get around sophisticated cyber controls through phishing and highly targeted spear-phishing. For instance, a proof-of-concept phishing technique sparked a discussion earlier this year. It used a phishing email to lure unsuspecting employees into clicking a seemingly legitimate login link that would, in fact, launch a remote session and redirect the victim to the attacker’s browser. The victim would then enter MFA credentials on the log-in page opened in the attacker’s browser. After that, the attacker could cut off the remote session and assume control of the victim’s account. 

Another phishing technique involves sending excessive push notifications to the victim’s device to create MFA fatigue. The user, getting irked by the constant prompts, bypasses the MFA and unknowingly grants access to the attackers. 

• MFA isn’t vulnerability-proof

Like all software, MFA solutions and products are prone to unknown zero-days and unpatched vulnerabilities. For instance, attackers have notoriously exploited the self-enrollment process of applying MFA to Microsoft Azure AD. They simply compromise account credentials and enroll their own devices before legitimate users can. This way, they assume complete control of the victim’s Office365 accounts. 

How Organizations Can Overcome MFA Limitations

Organizations need MFA as part of their cybersecurity strategy. But relying on it as a panacea would be a grave mistake. Organizations still need a comprehensive cybersecurity strategy in addition to a robust technology stack to combat and mitigate threats when MFA fails. 

Here are a few strategies organizations can implement to improve their security posture in the wake of anti-MFA attacks:

• Adopt Phishing-Resistant MFA

Phishing-resistant MFA overcomes most, if not all, flaws and limitations of legacy MFA. Instead of sending secret passwords or OTPs over a network connection, where attackers can simply intercept and replay them, it verifies the user locally through well-implemented public-key cryptography. 

Organizations can choose solutions that incorporate a biometric factor into the authentication process. Even if an attacker gains access to a verified device, the additional biometric verification adds another layer of protection against unauthorized access. Bear in mind that even sophisticated MFA solutions are prone to zero-days and insider attacks. 

• Implement a Zero-Trust Strategy

A zero-trust policy is based on the principle: trust no one; verify everyone. It implements the principle of least privilege, which means users can only access the data and resources they absolutely need to perform their jobs. A zero-trust strategy mitigates the risks associated with MFA hacks by preventing attackers from laterally moving across the network to access other critical assets.

Zero-trust solutions utilize contextual awareness and telemetry data for continuous authentication of users even when they are already inside the corporate network. It means, if an attacker manages to compromise MFA or a malicious insider initiates suspicious activities, the zero-trust model will evaluate their access requests based on contextual data, such as device posture, location, user’s typical behavioral patterns, and more. It will only be a matter of time before network monitoring generates alerts. 

• Conduct Cybersecurity Awareness Training

Employees' cybersecurity awareness must be an integral, ongoing part of organizations’ overall cybersecurity strategy. With increasing MFA fatigue that compels employees to overlook or get around security policies, it is necessary to educate them about the gravity, prevalence and implications of modern-day cyber threats and the necessity of these seemingly excessive security measures and strict acceptable use policies (AUP).

Phishing has to be one of the most common attack vectors used to bypass MFA. Luckily, even the most legitimate-looking spear-phishing emails will have dead giveaways such as an urgent call-to-action or mismatched URLs. It should become routine for all employees to suspect each email and take safety precautions such as double-checking the sender and verifying URLs. Organizations can achieve such vigilance through continuous training and unannounced simulated phishing exercises. 

MFA is essential. Nevertheless, security teams cannot dismiss the idea of a highly motivated threat actor compromising even the most sophisticated MFA system. Instead of looking for a panacea, organizations need a comprehensive, multi-layered security program that relies on zero-trust access and well-aware, well-trained employees who understand the stakes and act responsibly.