Many see multi-factor authentication (MFA) as one of – if not the – most crucial security defenses in existence. Deploying MFA means you require more than one authentication factor to identify a user, so if one factor is compromised, there is a second or even third token standing between attackers and your company data. While strong authentication truly is the cornerstone of good security, it’s important to note that there’s no such thing as a silver bullet in this industry and that cybercriminals have found ways to bypass MFA protections. In fact, CISA recently reported
several successful cyberattacks that cleverly circumvented MFA to compromise multiple organizations’ cloud solutions.Deploying MFA means you require more than one authentication factor to identify a user.Courtesy of BigStock.com — Copyright: wwwebmeister
So, what are the top tactics hackers use to bypass MFA and what can you do to stop them? Let’s start by taking a closer look at the various approaches to authentication, along with some of the most popular techniques to bypass them.
- SMS: Since most mobile phone users always have their device on or near their person, SMS text messaging is one of the most commonly used MFA technologies. Though convenient, it is one of the least secure options. In 2016, the National Institute of Standards and Technology (NIST) issued a guideline that warned against using SMS as a factor of authentication, citing examples of endpoint compromise and social engineering attacks to show how easily malicious actors can intercept, phish, and spoof text messages. “SIM swapping” is a popular trick attackers use to bypass SMS-based MFA. In a SIM swap scam, a hacker impersonates the target to dupe a wireless carrier employee into porting the phone number associated with their SIM card to a new (malicious) device. Following the migration, the hacker can intercept any two-factor authentication codes sent by text message. Authenticator application solutions can help prevent SMS hijacking and SIM swapping bypass techniques.
- ·One-Time Passwords (OTPs): OTPs are another widely used authentication token and can be compromised through social engineering as well. Someone with your stolen credential could call and convince you to speak the OTP shown in your token or use a phishing attack to lure you to a fake login webpage so you’ll enter your credentials – including your OTP – for that account. Anti-phishing tools and user education are some of the best ways to prevent these MFA bypass tactics. Another effective protection is to make sure your OTP solution is time-based. Once generated, you can use event-based OTPs at any time (as long as it’s the same order they’re created), meaning attackers can bypass them using less sophisticated attacks.
- USB Tokens: USB/FIDO2 tokens are an increasingly popular solution for password-less initiatives. Some criticize USB tokens for being expensive, arduous to deploy and manage, and “one more thing to carry.” But they can offer a reasonable user experience by replacing passwords (though things can get tricky when used with smartphones). Of note, using USB tokens to replace passwords entirely is not MFA – it’s 1FA, which carries the same risks as passwords as a single form of authentication. Anyone with that token can get access to the computer it’s intended to authenticate. You should always leverage at least two authentication factors – in this case by using PINs or biometrics alongside USB tokens.
- Mobile Push: Mobile push MFA is an evolution of SMS authentication that doesn’t depend on carrier data and can also work via Wi-Fi. It’s arguably the most secure route we’ve covered here because it directly connects to the application receiving the push information. Mobile push can deliver a better user experience too since the user can simply approve or deny access when prompted. But there is the chance a malicious actor could use social engineering tactics to convince your users to approve an unsolicited push. To keep this from happening, make sure the mobile push solution you adopt shows the request’s location of origin and which resource needs access approval, specifically. This serves to both help the user verify requests they’ve initiated themselves and detect and block malicious attempts to gain unauthorized access.
Independent of which authentication technology you use, implementation flaws and misconfigurations can lead to successful MFA bypass attacks. That said, there are also more complex scenarios worth noting as well.
The “pass-the-cookie” attack covered in the aforementioned CISA report is one such example, and here’s how it works. Once a user authenticates, their browser creates a cookie to remove the need for constant re-authentication. The cookie usually remains valid for just that session or a very short period. Depending on the implementation, an attacker could steal a cookie to access your services without reauthenticating.
Even worse, after a first authentication, some desktop applications create a long-lived “token” (not to be confused with the authentication token), allowing users to access the application for months before they require reauthentication. To prevent the risk of sustaining a pass-the-cookie attack, reduce the lifetime of those cookies or tokens (without forcing users to reauthenticate multiple times per day).
Rising to prominence after the recent SolarWinds hack, the “Golden SAML” attack is another example of a complex MFA bypass tactic. SAML allows employees to use single sign-on (SSO) for multiple applications by creating a trust relationship between them and the Identity Provider. This is very useful, especially if you use MFA within the Identity Provider. However, if an attacker gains admin access to the Identity Provider server and accesses the private key, it’s game over. They can use that stolen key to sign the SAML response and force the Identity Provider to allow authentication even if the credentials are wrong. So, if you are implementing SAML, make sure your private keys and access to the server are highly protected.
The Massive Role of MFA Plays in Modern Security
In the wake of the global pandemic, zero-trust and remote work security have become major business priorities. Identifying the users accessing your valuable data and resources is the first step toward succeeding in these efforts. In fact, according to a recent Gartner report, companies without MFA protection for remote access will experience five times more account takeover incidents.
The days when businesses could afford to think of MFA as an option rather than a requirement are over. At the same time, it’s important to understand that MFA isn’t perfect. If you’re just starting to explore or reexamine MFA, carefully weigh the available options against your unique deployment and risk profile and remember that a tool is only as effective as the manner and context in which you use it. Correctly implementing your MFA deployment is vital, but don’t forget to prioritize a layered approach to security with additional protections, as well as user education and training.
Alexandre Cagnoni, is the Director of Authentication at WatchGuard Technologies. He is the Product Manager for Authentication solutions, focused on Cloud Multi-Factor Authentication solution from WatchGuard, and Datablink business for Brazil and APAC. About the author: Alexandre Cagnoni, is the Director of Authentication at WatchGuard Technologies. He is the Product Manager for Authentication solutions, focused on Cloud Multi-Factor Authentication solution from WatchGuard, and Datablink business for Brazil and APAC, helping to build up the authentication strategy and vision and delivering the best of breed technology to partners and customers. With almost 25 years of experience working in the cybersecurity and authentication market, user authentication and identity protection have always been my passion. Helped to plan and deploy millions of authenticators for banks and enterprises, as well as transaction signing technologies. My ultimate goal is to see customers happy with the technology and protect against identity theft, with solutions that are secure and intuitive.