How MFA is hacked – and strategies to prevent it

The security benefits of multifactor authentication (MFA) are well known, yet MFA continues to be ineffective, sporadic, and inconsistently implemented, worrying business security managers and their users. In general, MFA users are overloaded with workflows with additional features, which is one of the many obstacles to their continued success.

And regular news stories detailing new ways to bypass MFA don’t help, like the recent news of a phishing attack by a North Korean state-sponsored group targeting Microsoft 365 installations for small businesses. In 2022, we saw Okta hit by a series of attacks that stole its GitHub source code to infect its supply chain, steal user information in two separate attacks, and compromise its support portal. Being an authentication broker, and providing less-than-stellar transparency about what happened in each of these events, shows how difficult it is to use MFA correctly.

But it’s not all gloom and doom. MFA methods have become easier to use, due to the increasing popularity and sophistication of passwordless methods. The post-pandemic diaspora – and US President Biden’s Executive Order of 2021 to Improve National Cybersecurity and MFA mandates in 2021 by Google for all its employees, and recently Microsoft’s login Azure – help promote IT operations to strengthen its workforce. authentication practice, and promote complete and continuous authentication across applications. According to some research, two-thirds of regular users use MFA methods regularly, and the number of administrators who protect their logins has increased to 90%.

In 2023 KnowBe4 survey of 2,600 IT professionals reveals significant differences in security practices between large organizations and small to medium-sized organizations. While only 38% of large organizations do not consider using MFA to protect their user accounts, 62% of small to medium sized organizations do not use any MFA.

Notable methods of MFA threat

Before we discuss the most common hacking techniques, let’s first talk about the most notable recent MFA failures. They usually fall into one of three general threat categories:

1. MFA fatigue or bombing it involves sending multiple authorization requests, usually via SMS push messages, until the user accepts the request and grants access to the attacker, like what happened to Uber in 2022. Ironically, the more an organization uses MFA, the more likely an attack of MFA fatigue will be successful. Jennifer Golden of Cisco’s Duo wrote in a 2022 blog post that “we have reached a point with MFA where adversaries are motivated to work for this control.”
2. Attackers also use a combination of social engineering and phishing attacks disrupting the overall workflow and tricking users into giving up their MFA tokens. Changes in user behavior, such as post-pandemic remote use and events like the Olympics, are often exploited by bad actors. Arctic Wolf wrote in a recent blog, “Using social engineering and MFA fatigue attacks can be effective against threat actors, as it creates a false sense of trust.”
3. Targets non-MFA users and apps with weak passwords it is another common form of threat. While MFA detection has improved, it is still far from universal, and attackers rely on finding those vulnerable locations and users to target their efforts accordingly. As an example, a few years ago Akira ransomware threat actors were breaking into organizations using Cisco VPNs that were not configured for MFA, where they could use brute force to obtain user information. Going back to the 2021 colonel pipeline attack, analysts found that it was caused by compromising the password used in a legacy VPN that did not use any MFA. And perhaps the most enduring application in the poor password department is a feature found in Cisco’s network switch that continues to be exploited, despite warnings from the company going back to this 2017 blog post.

Common MFA attack methods

Although there is no cure for MFA weakness, there are generally three stages of MFA attacks.

1. Poor mobile security. Cell phones are an important gateway to corporate networks, and attackers use a variety of methods, such as SIM swapping. This is where an attacker can convince a customer service employee at a telecommunications provider that they are the legitimate owner of the phone and then use SMS to access verification messages. There are other methods, such as attacking the networks of the mobile phone providers themselves.
2. Broken MFA authentication workflow. The average modern workflow is complex: users can access an application through a web portal, a smartphone application, or through an application interface. They can connect through different endpoints, through a local network or VPN, using different operating systems. That means MFA testing must take this bag of conditions into account, and the potential for supply chain issues and man-in-the-middle or man-in-the-browser attacks to tamper with MFA codes is high.
3. Cookie attacks are vulnerable, such as pass-the-cookie and stolen-time cookies. This happens because many websites do not implement session inactivity time limits, thus giving attackers the ability to bypass MFA by using these stolen cookies. KnowBe4 has an extensive presentation slide deck that goes into more detail.

Strategies to stop MFA attacks

Given all these exploits, MFA requires tender loving care and attention to detail to deliver security assets. Of course, there is no excuse for delivering a poor user experience, especially given the better tools available. Here are a few suggestions to ensure that your MFA strategy will be successful.

First, understand the resources you want to protect from harm. “For example, cyber-threat actors often target email systems, file servers, and remote access systems to gain access to organizational data, as well as attempt to compromise identity servers such as Active Directory, which would allow them to create new accounts or manage user account,” according to this CISA fact sheet.

CISA recommends that you consider systems that support FIDO protocols for early adopters of MFA protection. This includes using hardware keys for more sensitive applications. The FIDO Alliance has published a series of white papers on how businesses can best use these methods, and RSA has this deep dive on the topic worth checking out as well.

Next, all authentication should be risk-based and automatically increase security requirements based on what users are doing at any given time. The old ways of using a single access control when a user logs in need to be changed accordingly. There are a number of authentication products that include MFA in their flexible authentication processes.

A complementary piece to this should be a careful assessment of access rights. IT security personnel should “ensure that employees only gain access to the limited data necessary to fulfill their job responsibilities,” wrote Security Uncommon in a blog post. Generally, users are granted access without auditing or curtailment of these rights.

All these points should be part of the MFA workflow analysis, which is not really new. Akamai’s Gerhard Giese points this out in a 2021 blog post, when he talks about how MFA doesn’t always block data entry. He says IT managers should “re-examine your authentication workflow and login screens to make sure an attacker can’t uncover valid credentials by probing the web server response and implement a bot management solution to make sure you’re not making things easy for the bad guys.”

One aspect that seems to have been historically overlooked is the password reset process, which is why it is a common target for attackers. “It’s surprising how many websites don’t have a second layer of authentication in their 2FA password reset process, or, they offer MFA but don’t force users to use it,” Mitnick Security said in a blog post from April.

Finally, you should research and find users who are likely to be high value targets. “Every organization has a small number of user accounts with additional access or privileges, which are very important to cyber threat actors,” CISA wrote in its report. Examples include IT and systems managers, labor lawyers and HR managers. Consider these groups the first phase of your MFA project release.

MFA technology should be part of an enterprise’s critical security infrastructure. The latest attack, along with calls from experts across government and the private sector, should provide more impetus for smart spending.