How Secure Is Multi-Factor Authentication (MFA)?

The use of multi-factor authentication (MFA) is one of the most common pieces of advice given to businesses looking to improve their cybersecurity. Along with strong passwords, VPNs and workplace training, MFA is regularly recommended as the first line of defense when it comes to protecting business data. But is it as secure as we’ve been led to believe? In recent years, there has been an increase in cyber-attacks that have managed to bypass MFA measures, prompting fears that MFA may not be as effective at stopping attacks as previously thought.

Here, we take a look at how cyber-attackers are able to get around MFA, and what that means for the security measure itself.

How Does MFA Work?

MFA works by adding an additional step to the login process, increasing the difficulty for threat actors who are trying to access your networks and data. The idea of MFA is that even if malicious actors have stolen your login credentials, they still won’t be able to access anything because they won’t have the other ‘factor’. The second factor after a username and password can fall into one of three categories:

  • A knowledge factor, like another password, the answer to a secret question, or a one-time code
  • An inherence or biometric factor, such as a fingerprint, eye scan or face scan
  • A possession factor, like a smart device or card or secure key

There are several ways of using the factors above to verify a user’s identity:

  • SMS-based MFA. When a user has entered their log-in credentials (username and password), they receive an SMS containing a one-time code that acts as the second step of the authentication process.
  • App prompt. Once log-in credentials have been entered, the user receives a prompt in an authenticator app and verifies their identity through the app, either using a one-time code or a biometric factor like a fingerprint.
  • Security keys. Thought to be the most secure type of multifactor authentication, a security key is a USB device that communicates directly with the user’s browser using public and private cryptography.

How Hackers Target MFA

‘Prompt Bombing’ or MFA Fatigue

One method of getting around MFA is by using a smartphone’s push notification feature and simply flooding it with authentication requests until the user gets ‘MFA fatigue’ and approves the request, either accidentally or in an attempt to make the notifications stop – also called ‘prompt bombing’.

What to Do in the Event of a Prompt-Bombing Attack

The warning signs of a prompt-bombing attack are obvious (you’ll get flooded with repeated authentication requests), but it’s easy to assume it’s just a glitch. It’s better to be over-cautious, so if you do receive an unusual number of requests, don’t approve any of them and speak to the IT staff in your own organization. Don’t disclose any details or login credentials to anyone who identity you cannot verify.

Phishing

In July 2022, Microsoft revealed details of an attack that combined phishing and ‘Adversary in the Middle (AitM)’ methods to bypass MFA and access the Outlook accounts of more than 10,000 businesses from September 2021 onwards. Victims received an email containing a link to log into their Outlook account. Using a proxy server, the link took victims to a site that looked identical to the genuine site, and they logged in via the proxy, allowing attackers to steal login credentials and session cookies. This gave the attackers full access to users’ mailboxes and allowed them to perform further malicious campaigns such as business email compromise (BEC).

However, it’s important to note that what allowed this particular attack was not a weakness within MFA itself. The method of stealing the session cookie enabled the attackers to bypass MFA completely, rendering it an ineffective barrier to the attack.

What to Do in the Event of a Phishing Attack

The best defense against phishing attacks is preparation: knowing not to open suspicious emails or click on any links or attachments you don’t recognize. Phishing attempts can come in the form of text messages and social media messages, too – it’s not just an email problem. If you think you’ve clicked on a phishing link, disconnect your device from the internet and any other networks, remove any attached devices, and contact your IT team as a matter of urgency.

SMS Hacks

As SMS authentication is one of the most common types of MFA, malicious actors have learned how to spoof it. ‘SIM swapping’ is one method of interfering with SMS authentication – attackers convince the phone service provider to swap the victim’s phone number to a different device, enabling them to access any one-time passwords (OTPs) and consequently, their victim’s data.

Another SMS hacking method is ‘reverse proxy’, where attackers intercept, track and record a victim’s communications with a genuine service, gaining access to log-in credentials and MFA details.

What to Do if You Suspect an SMS Hack

When it comes to SMS hacks, prevention is better than cure – SMS authentication is simply not as secure as other types of MFA. Microsoft advises moving away from SMS and voice call authentication where possible. If you do suspect your SMS verification has been compromised, inform your IT team as a matter of urgency and take any steps to secure your personal data – bank accounts, for example. You’ll find a more detailed guide to what to do in the event of a SIM swap attack here.

False Password Reset

Another way MFA can be bypassed is via a false password reset. An attacker requests a password reset on behalf of their victim, which sends a security code from the service provider to the victim. Then, posing as the service provider, the attacker sends a request for that security code. Typically, the victim will respond with the code, allowing the attacker to reset the password. With both a security code and a new password, the attacker now has access to the systems and data they’ve targeted.

What to Do if You Suspect a False Password Reset

Fortunately, this sort of attack is fairly straightforward to deal with. If you haven’t requested a password reset or you receive a code when you weren’t expecting to, ignore it and contact your IT team immediately.

How Businesses Can Protect Themselves From MFA Hacks

It’s important to remember that MFA does work, as it reduces the risk of password theft and poses an additional barrier to malicious actors trying to steal login credentials. And in a way, the very fact that hackers are finding ways to get around MFA shows its effectiveness – MFA is now common enough to have become a target. Like many other cybersecurity measures, MFA is not infallible. But the benefit of having MFA in place still far outweighs the risk of it being hacked, and there are other actions you can take to ensure your networks and data are as protected as they can possibly be.

1. Use the most secure type of MFA you can. As demonstrated by SMS hacks, not all MFA methods are created equal, so choose the most secure authentication type you can. Consider moving away from SMS verification and investing in physical security keys, for example.

2. Provide Security Awareness Training and other cybersecurity training for all staff in your organization. Cybersecurity awareness training teaches your staff how to spot phishing attacks and other cyber threats, and educates them on how to protect themselves and their devices both in the office and while working remotely.

3. Implement secure third-party data backup for your business data. The best thing you can do to protect your business from any kind of threat, not just MFA hacks, is to safeguard your data by backing it up with a third-party provider. Choose a provider that will encrypt your data both during transfer and at rest, and that can back up all your data – including what you store on cloud apps. You may already be aware that cloud services are not responsible for protecting your data, so it’s vital you factor your cloud app data into your backup strategy.

Guest Author: Rob Stevenson

Rob Stevenson is the founder and CEO of BackupLABS, an online backup service providing protection for SaaS app data. Rob has nearly two decades of experience in delivering backup for small-to-medium businesses. He began providing data security solutions back in 2004 and from 2017, watched the dramatic rise of cloud and SaaS apps with keen interest. As users moved from on-premises software to SaaS services, Rob knew that only a minority of them were aware of the Shared Responsibility Model used by SaaS providers. Knowing that vast amounts of business-critical data were being uploaded to SaaS apps like GitHub and Trello and left unsecured, he established BackupLABS to help organizations safeguard their critical data – and to give business owners peace of mind.

CloudWedge
Logo