Why MFA is Important, How Hackers Bypass MFA and How To Protect Your Users Further

Author(s): Christian Scott, Blake Shalem

With every major security incident, such as Lockbit’s ransomware attack on ION Group or LastPass’s data vaults being stolen after a developer’s computer was comprised and MFA was bypassed, it begs the question, why do these attacks keep happening on a more frequent basis?

Concisely put, malicious actors are evolving their techniques and capabilities to become more sophisticated while many organizations struggle to keep up with the “cyber arms race” between them and hackers.

For the average corporate employee, optimal cybersecurity is adding another digit to the end of their recycled password. But with evolving cybercrime tactics, even the strongest passwords have limitations, with multi-factor authentication (MFA) have their limitations.

MFA is a form of access control that requires multiple forms of proof to grant an authorized user access to a system. Typically, MFA consists of a password, plus something else. The “something else” usually falls into one or more of these four categories: knowledge, possession, inherence, and location.

You are probably most familiar with the knowledge, which typically takes the form of challenge questions. You enter your username and password and then answer a question. Something like, what was the name of your first pet? Or, which one of these addresses is not somewhere you have lived?

Possession relies on something you have—often your smartphone. For example, you log in with your credentials and then authorize the login by tapping a push notification on your phone. Possession may also involve a physical key (typically a FIDO2 U2F USB key) that you connect to a device to authorize a login.

Inherence is another factor that relies on something that is inherently yours, such as your face or fingerprint, also referred to as "something you know."

Finally, with location, authorized access hinges on where you are. For example, you are logged in at your office located in Boise, but a login attempt is coming from Moscow. Since you cannot be in two places at once, the Russian login attempt triggers an impossible travel alert and is blocked.

Increasingly, companies are relying on possession for MFA. Users must log in using a username and password. Then they pull a one-time passcode (OTP) from an authenticator app, such as Microsoft Authenticator or Google Authenticator, to complete the login.

There are other solutions for this configuration, each with its own security limitations. For example, instead of an authenticator app, users can elect to receive an OTP via a phone call, a push notification, or SMS (more on this later).

Most companies require MFA to access their networks. For several reasons, you should enable MFA on your personal accounts as well.

The first reason is the growing obsolescence of passwords. Most passwords are easily guessed or have already been leaked; for example, consider HaveIBeenPwned’s Pwned Passwords search engine. This legitimate search engine has compiled hundreds of millions of passwords that were exposed in data breaches. Skilled cybercriminals use these password lists, often culled from the dark web, for brute-force attacks. You can think of brute-force attacks as massive guess-and-check operations. If your favorite password did not make HaveIBeenPwned’s list, it is only a matter of time before it does.

The second reason is social media. If you are a Facebook user, you have probably seen viral re-shares of posts asking people to post a photo of their first car or share their “stripper name” (a combination of your middle name and street). These bits of information are often what a cybercriminal needs to pass a knowledge-based MFA.

Finally, remote work is another reason to enable across-the-board MFA. In many cases, a personal device may also be a work device, stemming from the rise of bring-your-own-device (BYOD) work environments. A skilled cybercriminal can move laterally on any of these devices, compromising work and personal information. Properly configured MFA may help thwart lateral movement.

No security system is impregnable, and cyber criminals are producing ingenious ways to circumvent MFA. In fact, Microsoft posted a statement last year about a series of campaigns that targeted more than 10,000 organizations with phishing and MFA bypass attacks.

Phishing attacks are one method. Cybercriminals will use seemingly legitimate emails to con users into granting access to one of their authentication factors.

SIM card swapping, also known as a SIM jacking attack, is another tactic. With this method, a cybercriminal will port your phone number to a new mobile phone. Once they have obtained your account password, the text message with your OTP gets pushed to their phone. This happened to Twitter's former CEO Jack Dorsey in 2019.

Some cybercriminals are also great actors. With enough identifying information, they can convince a service provider, such as a bank, that they are you, lulling them into bypassing MFA. After they have breached your account, they will change your credentials, locking you out. Read more about how we used these same tactics in our social engineering exercises with Blake’s “A Day In The Life Of An Ethical Hacker” blog post.

Finally, there are man-in-the-middle (MITM) attacks like transparent reverse proxies (TRPs). In a TRP MITM, a cybercriminal puts a phishing toolkit between a victim and a target webserver. These toolkits often look like the real site you are attempting to reach, but they are actually gateways that allow requests to pass through to the legitimate site. Here is how it works:

A victim lands on one of these toolkit sites, and it looks like the real thing. They input their credentials, which are simultaneously piped to the cybercriminal and to the legitimate site. The real site sends a one-time passcode (OTP) to the victim, who feeds it into the fake site for the malicious actor to authenticate with. Common transparent reverse proxies include Modlishka, Nercrobrowser, and Evilginx2.

To get the most out of MFA, it is best to leverage three factors of authentication, not just two factors of authentication (2FA). Robust MFA requires at least three of the four of the factors: knowledge, possession, inherence, and location. Redundancy is a critical component of security, and as special forces like to say, two is one and one is none.

Many organizations today are starting to roll out location as an authentication factor utilizing enterprise solutions like Okta and Azure Active Directory. Features like Impossible Travel Detection and Velocity Behavior Detection can help detect attempted simultaneous logins from far-away locations and attempts deemed block anomalous.

Organizations should also seriously consider deploying additional security controls such as MFA push notification additional login context with number matching.

The best way to avoid TRP MITM attacks is to employ the earlier-mentioned FIDO2 U2F USB keys. Yubico keys are popular and relatively cost-effective compared with past solutions. Beyond minimizing opportunities for cybercriminals, FIDO2 keys are fairly durable and require no internet connectivity to work.

Finally, in the post-pandemic world of bring-your-own-device (BYOD) culture, Intune Conditional Access Policies should be leveraged that only allow secure and compliant devices to access company email and documents.

Remember, there is no silver bullet for cybersecurity. It is an ongoing process, and no single solution is a replacement for a defense-at-depth approach.