Why MFA Falls Short And What Can Be Done About It

Multi-factor authentication (MFA) solutions are not new to data security. Already decades in use, MFA adoption became more commonplace post-pandemic thanks to remote work conditions. While companies like Google and Microsoft have claimed how MFA blocks all but .01% of account abuse attacks, the sad truth is that MFA is far from perfect, and attacks are on the rise.

How does MFA fall short?

Verizon research pegs 82% of all cyberattacks on human error (stolen credentials, phishing, misuse). Attackers need some level of human involvement to circumvent MFA controls. Phishing and social engineering tactics help distract users while different techniques are employed to hack MFA defenses.

• Man-in-the-middle (MitM) attacks: Attackers trick a potential victim into visiting a fake website where the user enters credentials and triggers an MFA request to the unsuspecting user. Once the user confirms the push notification via mobile device, the hackers intercept the authentication code and gain account access. Threat actors can now buy ready-made phishing kits to carry out MitM attacks on MFA tokens.
• SIM-swapping attacks: Sending a one-time passcode via SMS text is one of the most common authentication approaches used by legacy MFA technologies. In a SIM swapping attack, attackers will pose as a real subscriber and convince the telecom provider to hand over a replacement SIM card, claiming the original SIM was lost or stolen. Once attackers install the new SIM card, they can use it to overcome MFA checks, reset account credentials and/or gain unauthorized access to corporate resources. An estimated $68 million were lost to SIM swapping attacks last year.
  Pass-the-cookie attacks: Cookies are much like a driver’s license that allow users unfettered access to resources until they expire. A pass-the-cookie attack is a variant of MitM where attackers use phishing to collect a session cookie that stays with a user during their browsing session. Earlier this year, the U.S. security agency CISA advised that attackers were frequently using pass-the-cookie attacks in combination with phishing and brute-force techniques to compromise cloud service accounts.
• MFA fatigue: Russian attackers reportedly used social engineering to bombard Office365 users with MFA push notifications (a.k.a. prompt bombing). Distracted or overwhelmed with notifications, users misinterpreted them as a bug or confused them with legitimate notifications, allowing attackers to overcome MFA defenses and gain entry into accounts or devices. Consent phishing is another adaptation of this technique and can be used to bypass MFA security.

What can organizations do to improve MFA?

MFA only makes sense if it is resilient against bypassing and hacking; otherwise, why would anyone enable MFA to only get mildly better protection? Here are three best practices that can help.

1. Deploy phishing-resistant MFA if possible.

The U.S. government has been mandating all federal agencies to use “phishing-resistant” MFA. This means organizations must steer clear of any MFA technology that can easily be phished (such as one-time passcodes, SMS text messages, dynamic codes and push notifications). The strongest forms of MFA are based on the FIDO2 framework that allows users to unlock access to resources using fingerprint readers, cameras and other device-level/hardware security checks on their devices. Since credentials don’t leave a user’s device and are not stored anywhere, it eliminates the risk of phishing and credential theft.

2. Make existing phishable MFA solutions less phishable.

There are a number of things organizations can do to make their current MFA less phishable. This includes adding more information and context to user logins since most MFA solutions oversimplify (via simple allow/reject buttons) instead of displaying more context so that users can be more assured of what they are logging into. This can include things like device name, global ID and device location. MFA solutions must also be tied to specific URLs, devices and hosts, so if a MitM attack is involved, the solution will not allow access to the resource.

Additionally, ensure MFA is built using NIST-approved (or FIPS-validated) cryptography. These are time-tested, publicly reviewed protocols; there is no need for people to invent their own cryptography. Further, stop allowing an easy reset of credentials when MFA is not working—the recovery and bypass process must instead be rigorous. Finally, ensure that anything like a session cookie, security token or a seed value expires in less than 24 hours.

3. Improve security awareness around MFA.

The core foundation of any security strategy is mitigating the root causes of threats. For example, ransomware is not the problem; more worrisome is how ransomware got in. Similarly, in the case of MFA attacks, phishing is the key root cause that needs to be addressed. No matter how strong your MFA solution is, all stakeholders must understand the strengths and weaknesses of MFA and how hackers exploit users to bypass MFA defenses. Employees must be trained to spot and report unusual activity; they must especially be careful with push notifications and login attempts they’re not directly involved with. Additionally, they should use unique, 20-character passwords to avoid credential theft.

Always opt for a defense-in-depth approach. Eliminate the risks associated with standard MFA by deploying one based on FIDO2. Ensure employees are awareness-trained to identify a cyber threat masquerading as an MFA request.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Follow me on Twitter or LinkedIn. Check out my website.
Stu Sjouwerman

Stu Sjouwerman is the founder and CEO of KnowBe4 Inc., a security awareness training and simulated phishing platform. Read Stu Sjouwerman’s full executive profile here.

Forbes, August 11, 2022