Organizations must implement effective account protection measures or put themselves at heightened risk of data breaches and other serious cyber attacks, such as ransomware injections. Multi-factor authentication (MFA) is a crucial component of any organization’s cybersecurity program.
MFA adds an additional layer of security, helping prevent hackers from gaining unauthorized access to sensitive data. While MFA is an effective defense mechanism, cybercriminals are becoming increasingly sophisticated in their attack methods.
There are many ways hackers can bypass MFA to carry out devastating cyber attacks – and this list is growing. This article outlines the ways hackers can exploit MFA and how to protect your organization’s sensitive data from such attacks.
What is Multi-Factor Authentication?
Multi-factor authentication (MFA) is an account protection method where users must provide two or more different factors of authentication to access an account or other internal system. MFA is more secure than traditional single-factor authentication (SFA), which only requires one set of login credentials, usually a username and password. Two-factor authentication (2FA) is a subset of MFA, where exactly two factors of authentication are required.
Understanding how MFA works requires a broader understanding of the concept of authentication. In an identity access management (IAM) framework, authentication factors are security mechanisms used to prove a user is who they claim to be before they’re allowed access to privileged information.
There are three types of authentication factors, including:
- Knowledge factor (something you know): e.g., a one-time password (OTP), a personal identification number (PIN)/passcode, an answer to a security question.
- Possession factor (Something you have): e.g., a fob, a hardware token, a security key, an endpoint, such as a mobile phone, that can receive push notifications or text messages.
- Inherence factor (Something you are): e.g., biometrics, such as fingerprints, facial recognition, retina scan, voice recognition.
MFA requires users to prove at least two of these factors to verify their identity.
How Does MFA Protect Organizations?
Authentication acts as an additional barrier between cybercriminals and sensitive data. Relying on single-factor authentication (SFA) means threat actors can easily exploit attack vectors, such as leaked or reused passwords, to hack into corporate accounts.
For example, Verizon’s 2022 Data Breach Investigation Report found that 43% of reported business email compromise attacks involved the use of stolen credentials against the victim organization. With MFA, even if a hacker steals a password, they still need to provide at least two additional factors of authentication before gaining access – a requirement they are not as likely to meet.
While MFA may discourage amateur cybercriminals from attempting further compromise, more skilled hackers bypass MFA requirements using several tactics. Organizations should be aware of these different methods to provide the most effective defense against attacks of this nature.
How Cybercriminals Can Bypass Multi-Factor Authentication
Below are six common ways cybercriminals can bypass MFA. Hackers can also use these methods to bypass two-factor authentication.
1. Social Engineering
Social engineering involves tricking a victim into revealing privileged information that can be leveraged in a cyber attack. This attack method is most commonly used when the attacker has already compromised a victim’s username and password and needs to bypass additional authentication factors.
Phishing is one of the most common social engineering tactics used to obtain authentication factors. In a phishing attack, a cybercriminal poses as a reputable source. It tricks an email recipient into divulging sensitive information or clicking a malware-infested link in the email, unknowingly helping to compromise their account.
- A cybercriminal obtains an employee’s login credentials for an organization’s SaaS vendor and attempts to log in to the service, prompting SMS verification.
- The hacker poses as the vendor and emails the employee, requesting the verification code for account confirmation.
- The employee falls for the scam and replies to the email with the SMS code, allowing the hacker to compromise their account.
If directly bypassing MFA isn't an option, the cybercriminal could also send a phishing email to obtain personal information about the employee, which could be used for over-the-phone verification. For example:
- The hacker tricks the employee into sending basic personal details via email.
- The hacker calls the service provider’s customer support, claiming to be locked out of their account.
- After verifying a few personal details, the hacker is able to trick the vendor into granting them access to the employee’s account.
2. Consent Phishing
Open authorization (OAuth) is used by many applications to request limited access to a user's account data. For example, a third-party app can request access permissions to a user’s Google calendar through OAuth, without requesting the user’s password or full access to their Google account.
Through a modern attack method called consent phishing, hackers can pose as legitimate OAuth login pages and request whichever level of access they need from a user. If granted these permissions, the hacker can successfully bypass the need for any MFA verification, potentially enabling a full account takeover.
3. Brute Force
Hackers carry out brute force attacks by trying different password combinations until they get a hit. The success of these attacks in bypassing MFA relies on the use of basic password combinations as an authentication factor, such as a temporary 4-digit PIN, which is easier to crack than a complex alphanumeric combination.
If successful, the hacker has compromised an authentication factor, moving them one step closer to compromising the account.
4. Exploiting Generated Tokens
Many online platforms rely on the use of authentication apps, such as Microsoft Authenticator and Google Authenticator, to generate temporary tokens for use as authentication factors.
As a backup, these platforms often provide users with a list of manual authentication codes to avoid account lock-outs.
If printed out or saved in an unsecured digital location, the cybercriminal could obtain this list through physical theft or exploiting poor data security practices to access it and compromise the victim’s account.
5. Session Hijacking
Session hijacking (or cookie stealing) occurs when a cybercriminal compromises a user’s login session through a man-in-the-middle attack. Session cookies play an important role in UX on web services.
When a user logs into an online account, the session cookie contains the user’s authentication credentials and tracks their session activity. The cookie remains active until the user ends the session by logging out.
Session hijacking is possible when a web server doesn’t flag session cookies as secure. If users don’t send cookies back to the server over HTTPS, attackers can steal the cookie and hijack the session, bypassing MFA.
6. SIM Hacking
SIM hacking occurs when a hacker compromises a victim's phone number by gaining unauthorized access to their SIM card. Common techniques include SIM swapping, SIM cloning, and SIM-jacking.
With full control over the victim’s phone number, the hacker can receive and intercept SMS-generated one-time passwords (OTPs) to provide this authentication factor during a hacking attempt.
How to Strengthen MFA
With knowledge of the potential attack vectors cybercriminals use to bypass MFA, your organization can build a defense designed around these methods. Recommended defense techniques are listed below.
- Avoid the use of short, numerical OTPs where possible, opting instead for a longer alphanumeric combination with upper and lower case characters, which are much harder to crack.
- Use biometric authentication as at least one factor of authentication – it’s much harder to bypass a thumbprint than a 4-digit code.
- Create complex passwords, and cybercriminals can easily brute force simple passwords.
- Don’t reuse passwords – cybercriminals can use one set of leaked credentials to compromise other accounts.
- Opt for one-time time based-passwords (TOTP) to reduce the amount of time hackers have to brute force access or log in following a successful phishing attempt.
- Avoid SMS-based authentication factors where possible. SMS OTPs are one of the most easily compromised 2FA codes.
- All vendors should have a server in place that restricts the number of unsuccessful MFA login attempts that a user can make.
- Administer regular cybersecurity awareness training, including relevant MFA security topics, such as common social engineering techniques, how to identify phishing emails, and creating a secure password.
- Restrict the usage of unsanctioned apps. The IT department is far more likely to be aware of and advise about social engineering attempts on platforms they’re aware of than those they aren’t
- Monitor your attack surface. Cybercriminals can exploit external vulnerabilities, such as poor network security, as the first move in an attempted account compromise. An attack surface management solution can identify vulnerabilities affecting the Internet-facing assets of you and your vendors in real time, allowing you to remediate them before they’re exploited.