Multi-factor authentication refers to the practice of authenticating users using more than one identity verification methods. An email or username represents the means for identification with the password as the standard first method of authentication. Using multi-factor authentication, after providing the correct credentials, a second (or even third) verification step will take place.
A common authentication method you might have come across is an OTP or ACT token sent to your phone via SMS or email account. Other methods include answering a personal question or a physical device, such as a USB drive, RFID tag, etc.
Another popular method is to utilize a mobile authentication app that randomly generates new OTPs at regular intervals. Whenever you log in, you’ll need to type in the currently active OTP.
Using two methods of authentication is referred to as Two-Factor Authentication (or, 2FA) and is the most common practice today.
Multi-factor authentication has the potential to improve account security by orders of magnitude. However, no system is waterproof and hackers are constantly innovating to find new ways to bypass these measures.
How do attacks bypass MFA?
Phones are the most common devices used for 2FA via SMS, email, or a dedicated app. As such, infecting the phone with malware can be one way to harvest OTPs and successfully bypass authentication. Recent examples are the RampantKitten malware used by an Iranian hacker group and deposited to victims via Telegram.
Recently, vulnerabilities in the Microsoft 365 productivity platform allowed hackers to compromise cloud-based enterprise applications by bypassing its MFA components.
Less technically sophisticated methods such as phishing and man-in-the-middle can also be used to compromise MFA. Social engineering customer service reps using SIM-swapped numbers can be used to bypass rudimentary SMS-style verification used by most banks. Lastly, mining apps for unencrypted data in the form of clipboard data, cookies, authentication tokens, etc. is elementary.
The FBI itself has distributed a security advisory warning against the dangers of widespread MFA bypassing techniques.
How to further waterproof MFA for improved security?
Like most complex security concerns today, hardening MFA procedures requires taking a detailed look at your entire security infrastructure and identifying all weaknesses and potentially vulnerable endpoints. You can then implement specific measures to reduce the frequency of occurrences and limit damage using the following:
- Leverage biometrics: Many smart mobile devices today have built-in biometric security using facial identification or a fingerprint sensor, for example. Obtaining and using biometric data is much more challenging than text-based OTPs.
- Phishing awareness training: Email phishing, via spear or broadcast-based methods, is still a common form of social engineering used to bypass even MFA credentials. Awareness protocols such as the Phish Scale can help organizations educate stakeholders to not fall prey to these attempts.
- Encrypt data-in-transit: MitM and phishing attacks can be avoided by using stringent certificate pinning and authority validation techniques. From the individual perspective, unsecured public wifi should be avoided and secure VPNs should be used when accessing enterprise apps.
- Use MULTI-factor authentication: If 2FA is still being bypassed frequently, considering tightening measure further by introducing additional authentication layers. All need not apply at every login, but account recovery or accessing sensitive data should require additional verification methods. A mix of in-band and out-band authentication measures will dramatically harden authentication.
- Harden app security: If your authentication apps aren’t inherently secure, you might only be delaying the inevitable. This can be done by obfuscating the business logic and third-party libraries, hiding or encrypting sensitive strings, API keys, responsibly implementing in-app privileges, and anti-tampering or jailbreak prevention.
- Alerts: Notifying users when their accounts have been accessed from new or unknown devices or locations have become relatively common. However, this needs to communicate via all possible channels (and possibly even to security-orientated personnel) to quickly identify and respond to potential breaches.
Conclusion – Is MFA worth it?
The answer is a resounding, yes! MFA is still a much stronger and more effective authentication framework than single-factor authentication. While the frequency of MFA-bypassing attacks has increased, it’s still far less common.
Part of this is because of the difficulty in automating MFA attacks that still largely rely on time-consuming and labor-intensive social engineering strategies. Alex Weiner of Microsoft claims that MFA made accounts 99.9% more secure on devices using their OS.
However, MFA alone isn’t enough to counter all threats. That can only be done with organization-wide buy-in when it comes to best practices as well as hardening security across the entire authentication stack.