How Secure is MFA, Really? How Hackers Bypass MFA
Ryan Rowcliffe, Field CTO, HYPR
7 Min. Read | June 2, 2022
The inherent security weaknesses of passwords has prompted the rise of multi-factor authentication (MFA) to better secure access to data and systems. Multi-factor authentication requires users to prove their identity with two or more independent verification factors:
- Knowledge factors (something you know), such as passwords, secret questions or PINs
- Possession factors (something you have), such as a smart device, card or secure key
- Inherence factors (something you are), such as biometric fingerprint readings, eye or face scans
While MFA is certainly more secure than a login name and password, and organizations are advised to implement MFA wherever possible, how secure is MFA really? Specifically, how secure is MFA that relies on passwords or other “knowledge” factors as part of its authentication process? What about other forms of MFA, such as push notifications?
Unfortunately, there has been a rise in hackers specifically targeting common MFA procedures, such as one-time passwords (OTPs) and voice calls or push notifications sent to phones. This includes specialized services which rent out bots that harvest OTPs to help hackers in their MFA bypass attempts.
Other attacks, such as those by the Lapsus$ group, who recently hacked Microsoft, Okta and Samsung, bypass MFA security using techniques such as social engineering, SIM-swapping and escalating attacks through compromised secondary accounts. The ease with which hackers can now bypass MFA has proven that most MFA solutions can be breached, although some solutions offer far stronger defense than others.
To answer the question “how secure is MFA,” we need to first take a look at the ways attackers attempt to bypass MFA.
Common Methods Used to Bypass MFA
Hackers have developed a variety of MFA bypass tactics to circumvent multi-factor authentication controls. This is an overview of the most popular methods. Note that attacks often combine multiple tactics, such as social engineering, phishing and OSINT (open-source intelligence), to bypass MFA defenses.
Phishing has evolved from password theft to stealing full credentials needed to bypass MFA. For example, attackers use a spoofed site to harvest both passwords and OTPs, while performing a simultaneous login process on a real site. This type of phishing is fairly labor intensive, however, as it requires real-time interaction between attacker and victim. Increasingly, phishing that can bypass MFA is becoming more automated, with over 1,200 phishing toolkits deployed in the wild. These leverage actions such as session cookie theft and reverse proxies, so all inputted credentials go through the attacker’s server.
SMS-initiated phishing attacks are also on the rise, with financial institutions being heavily targeted. Also known as smishing, these use similar MFA bypass techniques to email-based phishing but the origin point is a text message from a supposedly trusted source.
SMS OTP Attacks
Even though the NIST 800-63B guidelines deprecated the use of OTPs sent by SMS as part of MFA, it is still one of the most common protocols due to its ease in implementation. We have gone in-depth on the insecurity of MFA that relies on SMS OTPs, especially with readily available MFA bypass attack kits that use an automated bot service to steal OTP codes. Not only is SMS OTP a seriously flawed process, causing millions in damages to consumers and enterprises, but it also gives a veneer of security that prevents the pursuit of more secure authentication.
Accidental Push Accept
Some MFA providers send users a push notification through an authenticator app as a second authentication factor, with their acceptance of the notification serving as “something you have” verification. How secure is MFA that uses this method? As it turns out, not very, especially if the first factor is a password. Push notification attacks, also called “MFA prompt bombing,” leverage push fatigue and how little attention many of us pay to such notifications.
Generally the attacker already has a valid username and password and logs in with this to trigger sending a push notification. They might do this in a targeted manner or on a mass scale through credential stuffing attacks. The attacker issues multiple MFA requests to the end user’s legitimate device until the user eventually accepts the authentication, ultimately allowing the attacker to gain access to the account. The 2022 Passwordless Security Report found that push attacks grew 33% year over year.
IT Help Desk Social Engineering
In the first stage of this MFA bypass attack, the hacker impersonates an employee to determine which protocols are used to confirm a password reset request. Along with possibly revealing information such as the victim’s login, this lets the attacker know exactly what details they need to acquire to achieve a password reset and then account takeover. This type of attack is a prime example of attackers feeling out how secure MFA is at a particular company before launching targeted attacks.
Exploiting Commonly Bypassed Services
Certain office and email services, such as Gmail, Okta and Microsoft Office 365, are extremely widespread and, unfortunately, quite trivial for attackers to bypass. As a result, most enterprises are expected to enforce MFA protocols within these services, with the NYDFS already fining companies for not doing so. Yet the question remains: How secure is MFA that still relies on passwords?
Robocalls play a role in many scams, including those used to bypass MFA. Automated hacking services such as SMS Buster and SMSRanger boast success rates of up to 80% in getting people to supply account details, including OTPs sent by service providers. By using constantly revised templates, these robocalls can effectively copy what someone’s bank or insurance provider sounds like and convince them to hand over details. An example of this in action is how one Maryland couple lost over $100,000 of their savings from Coinbase in less than a minute despite the presence of MFA.
In a man-in-the-middle (MitM) MFA bypass attack, the hacker eavesdrops on or actively intercepts the communications between two parties; either two users, or, increasingly, a user and an application or server. This allows them to steal information the user sends, such as login credentials, account details and credit card numbers. MitM attacks have grown over the past few years, with remote workers and access services an increasing target. Man-in-the-middle attacks are usually combined with other attack techniques to bypass MFA, such as phishing kits that can launch MitM attacks to steal MFA tokens.
Similar to help desk attacks, SIM swapping uses social engineering to get service providers to reset someone’s account — in this case, to assign their cell phone number to a new SIM card. Most of the details people have with their cell provider can be picked up from their bill, while major data breaches, such as the one at T-Mobile, which compromised 50 million accounts, provide attackers with further details such as PINs and passwords. Once they’ve successfully swapped your number onto their SIM, any communications, including OTPs, will be sent to their phone, allowing them to bypass MFA protocols.
How to Prevent Hackers from Bypassing MFA
The above list is by no means complete and attackers constantly develop new strategies to bypass MFA. This leads many to question how secure is MFA in general, but the real focus should be on the authentication methods and protocols being used. Organizations should avoid any MFA solution that can be exploited by social engineering or MiTM attacks to steal credentials or achieve unauthorized account resets. Unfortunately, industry experts estimate that 80-90% of MFA implementations can be breached.
Introducing phishing-resistant MFA, as laid out by the OMB in its guidelines for a Zero Trust strategy, is the single-most effective way to harden your authentication processes against attack. Phishing resistance means removing MFA that uses passwords, SMS, voice calls, OTPs or compromisable push notifications. Passwordless MFA based on FIDO standards is designated as the gold standard for phishing-resistant authentication by the Cybersecurity and Infrastructure Security Agency (CISA) and the OMB.
HYPR: Delivering Secure MFA
HYPR’s True Passwordless™ MFA solution was purpose-built to address the problems of breachable MFA. Based on public key cryptography and adhering to FIDO standards, it ensures there are no shared secrets at any point in the authentication process. HYPR provides a seamless authentication journey from the desktop to the cloud, alleviating many user-experience frustrations around authentication.
HYPR also integrates with common IdPs and single sign-on providers, making authentication controls stronger without requiring you to rip and replace your IAM infrastructure. Discover how HYPR’s passwordless MFA solution is helping organizations secure their authentication and access. Please get in touch with our team for any questions.
Field CTO, HYPR
Ryan Rowcliffe is a technologist with over 20 years in the information technology industry. He has spent the last 7 focused on Identity Access Management, Multi-Factor Authentication and Passwordless MFA solutions. Ryan loves solving business problems with modern innovation mixed with known solutions.