How cyber-attackers break your multi-factor authentication protection –– and 7 things you can do about it
By Michael Foster
Cybersecurity Auditor and Advisor
One of the best ways to thwart bad actors from logging in to your system is to enable Multi-Factor Authentication (MFA), a.k.a. Two-Step Login. But attackers are bypassing that protection.
If you know what MFA is, you can skip this paragraph. The most common firs step of MFA is for users to enter their username and password. They receive a text message with a code to complete the login process. Alternatively, the user might have an authenticator app on their phone providing a code.
In another option, the user receives a “push” notifcation asking them to approve the login through the app. The latter is sometimes referred to as one-tap login. There are other options for the factors, including approving specifc computers, geo-location, USB hardware keys, and biometrics (such as fingerprints, facial recognition, and iris scans). There are pros and cons to each method.
Here are a few steps to protect yourself from attackers that are bypassing multi-factor authentication:
- If supported, instead of a code number from a text message or authenticator app, consider using a USB token, fingerprint, or facial recognition for the second factor.
- Reduce the duration a code is valid. For example, perhaps change the code every 60 seconds so an older code won’t work.
- Limit the number of failed login attempts in a specific period.
- Implement web content filtering to protect users from being exposed to fake login screens.
- Limit logins to specific countries.
- If users primarily use the same device, restrict logins to those specific devices
- Train users to beware of fraudulent login prompts
Below is a more in-depth look.
One Way Attackers Bypass MFA:
Step 1: Trick the user into clicking a link that takes them to a fake login screen for Microsoft 365, LinkedIn, or any other valuable site.
Step 2: The user enters their username and password into the fake login form. Now the attacker knows the user’s login name and password.
Step 3: The attacker’s computer pulls up the genuine login form and enters the username and password the victim just provided.
Step 4: The legitimate website sends the user the text message, sends a push noti?cation, or performs another second factor the user is used to. The user expects this, and the process seems normal to them.
Step 5: The attacker can create a fake form for the user to enter the code from their text message or app. When the victim enters the data, the attacker’s computer inserts the data into the genuine website. If the user received a push noti?cation, they could approve the login because the user believes they are indeed logging into the site.
Step 6: The attacker is logged in and has the user’s full access. The attacker needed no previous knowledge of the person’s username, password, or text key.
Another method to bypass MFA is using social engineering to trick the user into disclosing their usernames, pass- words, and codes or another second factor. A typical example is for a bad actor to contact a user, impersonate a technical support person, and ask the user to provide the information to help prevent some fake problem that doesn’t exist. Some trusting users walk the attacker through the login process, bypassing the protection of MFA.
Another strategy bad actors use is called MFA fatigue. The hacker makes so many attempts to log on the user Finally tires of receiving push notification alerts. The fatigued user approves the login to make their phone be quiet, and the attacker is in the system.
Attackers also use SIM Swapping to reroute calls and text messages to their phones. Therefore, text and callbacks can be less secure than other second factors. However, many sites only o?er those two options.
As your IT team can tell you, there are more technical ways for attackers to bypass MFA by creating person-in-the- middle attacks using something called a proxy. Another strategy attackers can utilize is captured authentication cookies or tokens. Authentication can rely on digital key values that must be kept secret inside servers. If attackers get access to the keys, they can gain access.
Strategies You Can Employ
1) One strategy to fight his kind of attack is to use a second factor that isn’t a text code. For example, a user doesn’t need to enter a code if the second factor is a ?ngerprint or USB token plugged into the computer. The user cannot enter that information into a fraudulent login screen.
2) Another common strategy to thwart attackers trying to bypass MFA is to reduce the time an OTP (One Time Password) code works without the user requesting and receiving a new text message or generating a new code in the authenticator app. Shorter expiration times mean attackers must use the stolen credentials and second factor to log in more quickly.
3) Another strategy, though slightly less e?ective but can be used in conjunction, is to limit the number of failed login attempts within a session. An example rule is if there is a failed login attempt for a user account three times in a row within five minutes, lock their account so they can’t try logging in again for 10 minutes.
4) A useful but underutilized cybersecurity control is conditional access by country. If your users will always log in from specific countries, block logins from all other countries. That makes it more difficult for foreign adversaries to compromise your users’ accounts. Identifying a user’s location is sometimes referred to as geolocation.
5) Your IT team can implement some form of web content filtering and configure it to block communications with known malicious sites and attacker command-and-control servers. This isn’t perfect because attackers frequently change command servers, but it helps.
6) Using SSO (Single Sign On) reduces the number of opportunities an attacker has to trick the user. Of course, the flip side is if an attacker successfully gains access to the single sign on, the attacker won’t need any other creden- tials to access everything the user can access.
7) User training is essential, as is keeping the computer safe.
As you can see, using MFA does not mean your authentication process is secure. Whenever a new security control is invented, someone ?nds a way to break it. The strategies above will help you and your team be more secure.
Alert your colleagues to some of the ways attackers can bypass MFA. They might decide to consider using USB keys, biometrics, or cryptographic codes stored in a computer or hardware.