When done well, multi-factor authentication (MFA) can be very effective. If not, a security disaster looms. Although more and more companies are using MFA to protect their employees, the method is far from universally accepted. In fact, according to a survey conducted by Microsoft last year, 99.9 percent of all compromised accounts were not protected by multi-factor authentication. But only eleven percent of all enterprise accounts were secured with MFA.
The Corona pandemic was both good and also bad for MFA adoption. On the one hand, lockdowns and remote work provided a good reason for more MFA deployments, but on the other hand, new phishing opportunities for criminal hackers have emerged. Companies that failed to implement MFA, along with VPNs, represent a substantial proportion of the victims that were targeted throughout the outbreak.
5 common MFA attack methods
However, recent history shows that there is still room for improvement when it comes to securing two-factor and multi-factor authentication. We show you five common methods that criminal hackers use to exploit MFA vulnerabilities.
- Text-based man-in-the-middle attacks
The biggest problem with multi-factor authentication is related to its most common form of implementation: the use of one-time passcodes via SMS. It is easy for crafty attackers to compromise smartphones and temporarily assign their phone number to a device under their control. There are several ways to carry out such an attack. One is to bribe or persuade a mobile service provider’s employee to reassign a phone.
Another method is to use commercial services, as a Vice Magazine reporter found out in a self-experiment. For the investment of $16, a contract hacker managed to view or redirect all SMS messages with the help of a service provider.
- Supply chain attacks
The most prominent software supply chain attack to date was the SolarWinds hack, in which various components of the software were infected. User companies were thus able to be compromised without realising it. There are a number of ways to prevent supply chain attacks, such as source code scans in the runtime environment. It’s important to remember that the SolarWinds attack was discovered by an alert security employee who wondered why a co-worker would want to register a second phone for multi-factor authentication. Conversely, this means that the attacker was aiming to use MFA as an attack vector.
- workflow bypass
Another example of a multi-factor authentication loophole is the recently discovered vulnerability in the Liferay DXP v7.3 MFA module. The vulnerability allows any registered user to authenticate themselves by changing the one-time passwords of other users. This then leads to the affected user being “locked out”. The bug has since been fixed.
- Pass-the-Cookie attacks
This attack method uses browser cookies and websites that store authentication data in cookies. Originally, this approach was chosen for reasons of user-friendliness. However, if a cybercriminal manages to extract this data, they can take over your account.
- Server-side forgeries
One of the biggest exploits in the recent past was Hafnium, in which a series of attacks were used to break all authentication processes with Microsoft Exchange servers. Four zero-day vulnerabilities in Exchange were exploited, for which Microsoft has since issued a series of patches.
How to do multi-factor authentication properly
These common MFA attack methods make it clear that multi-factor authentication requires a certain amount of care if it is to work properly and securely. Bad MFA is like bad sunglasses – it offers no protection. However, the main reason why multi-factor authentication is not more widely used is because of the poor user experience.
To be truly effective, MFA must be combined with a zero-trust architecture and continuous authentication technologies, according to the analyst. Numerous providers have recognised this and have corresponding offers up their sleeves – but the implementation is anything but simple.
The account recovery option is another weakness of multi-factor authentication: some companies have solid MFA protection for normal account logins, but if a user forgets their password, the recovery process starts with an SMS passcode.
So IT managers need to closely review their authentication workflows and login screens to rule out the possibility of attackers grabbing login data by tapping into the web server. Admins should consider using bot management solutions to ensure that criminal hackers don’t stand a chance.
Multi-factor authentication should be part of the critical infrastructure of corporate security. Recent attacks, as well as the urging of experts from the government and business sectors, should give a boost to smart MFA implementations.