Blog Post February 15, 2024

MFA Bypass Attacks: How to Keep 2FA Secure

By: Brittany Holmes, Corporate Communications Manager

One of the most widely recommended tactics to enhance security is the implementation of multi-factor authentication (MFA). MFA adds a layer of protection to user accounts, requiring more than just a username and password for access. However, as cybercriminals continue to evolve their tactics, they have found ways to bypass MFA, posing a significant threat to individuals and organizations.

For example, despite MFA being implemented, Microsoft reports that 28% of users are still being targeted. This serves as a wake-up call to organizations to understand MFA’s limitations and implement additional layers of protection to safeguard their digital assets.

This blog uncovers the basics of MFA, its strengths and weaknesses, top methods cybercriminals use to bypass MFA and solutions.

What is Multi-factor Authentication (MFA)?

MFA is a security measure that adds an extra layer of protection when accessing a system, application, or resource. It requires users to provide multiple forms of identification to verify their identity. With MFA, users must go beyond just providing a username and password to prove who they are. This helps address the weaknesses of using simple passwords or reusing them across different accounts.

One form of MFA is Two-Factor Authentication (2FA), which requires a second factor, such as a code sent to your phone or a fingerprint scan, to verify your identity. This additional step enhances security and ensures that only authorized individuals can access the account.

The Strengths and Weaknesses of MFA

MFA significantly reduces the risk of unauthorized access by requiring users to provide various forms of authentication, such as a password, a fingerprint, or a security token. This is especially important where data breaches and cyberattack attempts are increasingly common today.

For example, many online banking platforms now require users to input a one-time password sent to their cell phone number in addition to their regular login credentials. So, even if a cybercriminal gets ahold of a user’s password, they will still need physical access to the user’s mobile device to complete the authentication process. Similarly, popular email providers like M365 often use MFA to guard against unauthorized access to user’s accounts by requiring another form of authentication, such as a fingerprint scan or a verification code sent to a trusted device.

While MFA has proven to be an effective security measure in safeguarding sensitive information, it is important to acknowledge that cybercriminals continually adapt their strategies to bypass this system. Understanding the top methods used by these adversaries is vital in staying one step ahead in the relentless battle against cybersecurity threats.

Bypassing MFA: Top Methods Cybercriminals Use

Method #1: Phishing

Phishing has become a top method used for cybercriminals to bypass MFA and gain unauthorized access to user accounts. Cybercriminals set up fraudulent phishing websites that closely mimic the login pages from popular platforms like M365, PayPal, GitHub, and others.

To carry out this deception, they utilize tools such as EvilGinx, an open-source phishing framework. It comes with built-in “phishlets,” allowing cybercriminals to easily replicate the login pages of various websites. By hosting these phishing sites on custom domains and leveraging social engineering techniques, cybercriminals trick users into providing their login credentials and bypassing MFA.

Method #2: Social Engineering

Social engineering manipulates individuals into revealing sensitive information or performing actions that are not in their or their organization’s best interest. In the context of MFA, social engineering can be used to trick individuals into providing their MFA information, such as one-time passwords (OTPs) or biometric data.

A common method cybercriminals use is the impersonation of a trusted individual, such as a co-worker, customer support representative, or IT manager. The cybercriminal does this through phone calls, emails, and text messages to deceive the target into revealing their MFA information.

How to Strengthen MFA Security and Stay Protected

To protect against attacks like EvilGinx, it is important to implement additional security measures:

User awareness: Educate employees about the risks of phishing attacks and the importance of not clicking on suspicious links or entering credentials on untrusted websites through Security Awareness Training.

Secure session management: Implement mechanisms to protect session cookies, such as using secure cookies that are only transferred over encrypted connections (HTTPS) and regularly rotating session keys.
Behavior analysis: Implementing User Entity & Behavior Analytics (UEBA) detects abnormal behavior patterns, such as unusual login times or access from unfamiliar locations. For example, if a user typically logs in from a certain location or device and then suddenly attempts to log in from a different country or device, it could be a sign of a compromised session.

While MFA is a critical security measure, it is not foolproof. The goal is to make it more difficult for cybercriminals to gain unauthorized access, but determined and sophisticated adversaries can still find ways to compromise accounts. A cybersecurity strategy includes multiple layers of defense within your Security Operations Center, including MFA, regular security awareness training, threat monitoring, and incident response protocols.

Illuminate Threats, Eliminate Risks

Managed Detection and Response (MDR) providers play a crucial role in providing an extra layer of protection that organizations need in addition to MFA. MDR providers offer advanced threat detection and response capabilities, leveraging cutting-edge technologies to identify and respond to potential security threats. By continuously monitoring network traffic, endpoints, and user behavior, MDR providers can detect and mitigate threats that may bypass MFA, such as phishing attacks and social engineering.