Sign In

Communications of the ACM

ACM News

Concerns Grow about MFA Bypass Attacks

View as: Print Mobile App Share:
A representation of multi-factor authentication.

Cybercriminals increasingly are bypassing multi-factor authentication using specially crafted attacks.

Credit: Getty Images

Multi-factor authentication (MFA) uses authentication factors such as passwords, fingerprints, and smartphones, to secure systems and data. Security experts are pressing consumers and organizations to adopt MFA, because it is more difficult for criminal hackers to gain unauthorized access to systems when they must steal multiple authentication factors.

Experts at security and standards organizations such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) urge people and organizations to use MFA whenever possible.

Yet, cybercriminals increasingly are bypassing MFA using specially crafted attacks.

In February, social media news and sharing forum Reddit found that attackers had phished its employees via email. The attack conned users into giving up their MFA credentials to the cybercriminals.

"The attacker used convincing prompts directing employees to a website mimicking Reddit's intranet gateway," says James Quick, director of solutions and advisory for Simeio, an identity and access management (IAM) company.

According to Quick, when employees entered their credentials and second-factor tokens, the criminals captured andused those to gain access to the organization.

MFA bypass attacks are increasing. According to data from Sapphire Cybersecurity, a 25-year-old U.K. managed services security provider (MSSP), there were 40,942 MFA Fatigue attacks in August 2022.

Criminal hackers have many MFA bypass techniques, such as man-in-the-middle (MitM) attacks, MFA bypass phishing kits, stolen browser session cookies, MFA fatigue, and malicious OAuth applications.

However, there are methods to mitigate these attacks.

Cybercriminals can use man-in-the-middle attacks on Wi-Fi hotspots to bypass MFA. The criminals use an evil twin and a bogus wireless access point, and dupe a user into connecting to it. The ploy gives the criminal access to traffic between the end user and the Internet, and the ability to steal their token.

According to Brian Hornung, chief executive officer of Xact IT Solutions, Inc., a cybersecurity and IT services company, when a traveling employee connects to a hotel's Wi-Fi and then to their Microsoft account, they may see a message asking whether they want to trust the site or remember it on their device. "Most untrained users are going to click 'yes' because they don't want to go through the manual login process every time they connect from this network," explains Hornung. "But if the attacker can sniff out the Microsoft token as it passes from Microsoft to them and then to the user, they can steal that token and use it to gain access."

MFA bypass phishing kits are a popular choice for cybercriminals. They use the kits and phishing websites to capture usernames, passwords, and MFA tokens to log in to the user's account.

According to Hornung, when an employee enters their username and password into the bogus website, the criminal hackers collect those and quickly enter them into the legitimate site. When the site passes an MFA token back to the user, the user enters it, and the criminal collects that and quickly enters it into the actual site, he says.

The theft of browser session cookies is another avenue for MFA bypass. Organizations use browser session cookies to capture a user's activity while on the website. That user's session should end, and the cookie should clear, when the user closes their browser.

Unfortunately, according to HelpNetSecurity, a criminal hacker can bypass MFA by stealing the browser session cookie from the user's browser to gain unauthorized access to the organization's site and sensitive data.

Another attack, MFA fatigue, has seen a lot of news coverage. According to BleepingComputer, MFA fatigue or MFA bombing attacks use scripts to automate repeated login attempts. The system sends two-factor authentication (2FA) confirmation requests to users until they tire of it and confirm that they have logged in, but the hacker is the one who gets access.

Criminal hackers also may abuse Open Authorization (OAuth 2.0), the de facto standard for online authorization and consent, to bypass MFA. According to HelpNetSecurity, in malicious OAuth attacks that started appearing late last year, Microsoft unwittingly gave "publisher identity verified" badges to criminal hackers. The cybercriminals used the blue badges with fraudulent Single Sign-On (SSO) and meeting apps in social engineering attacks. When the users clicked on 'accept', the criminals gained unauthorized access.

Despite the mounting attacks, there is hope. According to Quick, organizations can protect employees and data from MFA bombing/fatigue attacks by using time-based MFA, such as the Google Authenticator or the Microsoft Authenticator. These time-based one-time passcodes (TOTPs) expire after 30 seconds. "It makes it harder for attackers to send many MFA requests quickly," explains Quick.

"Challenge-response MFA is another option. It requires users to answer a security question or provide a biometric identifier besides their password and MFA code," says Quick. An attacker would have to know the answer or have access to the biometric identifier to bypass MFA.

There are variations on the authentication factor, "something you have," such as physical authentication keys.

Says Rahul Mahna, managing director of accounting firm EisnerAmper's Outsourced IT services team, "We are seeing hardware MFA such as YubiKeys becoming more popular. The keys allow physical MFA versus electronic."

YubiKeys and similar products, such as Google Titan, mitigate man-in-the-middle and phishing attacks because the criminal does not have the physical key.

Awareness is a critical tool for security teams. According to Quick, organizations should know about the latest phishing and social engineering attacks on MFA. "Attackers are constantly developing new ways to trick users into approving MFA requests," he says. By knowing how new MFA bypass attacks work, security teams can learn what event alerts to set and which event logs to review to identify these attacks.

Organizations can look to established security organizations for guidance. CISA has an October 2022 fact sheet for implementing phishing-resistant MFA that details MFA bypass threats, cybersecurity implementations, and resources.

MFA bypass targets human vulnerabilities. Security teams should focus on monitoring and safeguarding users and user access.

"The goal of an IT cybersecurity team has changed to protect the individual, especially those who are in C-level suites and have access to financial systems that can become a big payday for the hackers," concludes Mahna.


David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account