We know we hype up multi-factor authentication, or MFA, quite a bit on this blog, and for good reason. When implemented correctly, it can be an effective deterrent for many cyberthreats out there. However, as they often do, hackers have found ways around MFA. Let’s take a look at how hackers find ways around MFA protection.
Why is MFA So Effective?
By far the most common way hackers gain access to accounts is through phishing schemes in which they convince users to willingly hand over information like passwords and usernames. Other times hackers might just guess some of the commonly used weak passwords and get lucky. In either case, using the secondary credential offered by MFA means that there is an additional level of security, effectively preventing hackers from accessing accounts. Or so we thought.
What’s Happening with Hackers and MFA?
Recent attacks detailed by Microsoft have shown that it is indeed possible for hackers to bypass multi-factor authentication protocols put into place by businesses. Note the word used—bypass—rather than breaking into. Hackers aren’t actually breaking through MFA; all they are doing is finding alternative ways around it.
It’s like taking a walk down a forest path only to find that a tree has fallen, blocking your way. Sure, you could waste half the day chopping away at it with an ax… or you could walk around it.
The most popular way of bypassing MFA is through the use of adversary-in-the-middle attacks in which the hacker uses a phishing attack in conjunction with a proxy server between the victim and the service they are logging into. The hacker is able to steal the password as well as the session cookie. The user gains access to their account with no reason to suspect they have been hacked, but they have in reality given piggybacked access to their account to the hacker.
Other Methods Used by Hackers to Work Around MFA
Of course, hackers can also use other methods to bypass multi-factor authentication, if they are willing to work hard enough. If the system uses SMS messages or email codes, and they have been able to convince the user to hand over these in addition to the other login methods, then they can effectively gain access to the account in the same way as if that secondary credential didn’t even exist.
Other methods hackers can use to bypass MFA include using trojans to spy on users or to take over devices used to authenticate a system. Ultimately, if the account’s login portal depends on something that the user knows, like a code, then it can inevitably be exploited by crafty criminals.
What’s the Best Approach?
We are of the mind that the best defense against hacking attacks is to educate people on how they work in tandem with appropriate security solutions. In this case, we certainly don’t recommend against implementing multi-factor authentication; in fact, we encourage it. However, you’ll only get so far with your technology solutions if you don’t take the time to teach your employees why they are important. We can help you implement the best enterprise-grade security solutions on the market, and coupled with comprehensive training and testing, your team will be prepared to handle just about any phishing attacks leveraged against them. To learn more about how we can help your business, contact us at (561) 708-5359.