Ever since Multi Factor Authentication (MFA) started gaining popularity as a means to limit the usefulness of stolen credentials, it was only a matter of time before attackers adapted to the new reality (as demanded by the Red Queen Effect).
In this article I look at common MFA methods that are not phishing resistant, as well as a recent attack that bypasses MFA.
Check the follow-up post for a different take on bypassing MFA and the resulting implications.
MFA Use Case
The initial driver for MFA can be described thusly:
- Users will re-use their passwords on multiple sites, and at least one of these sites will be compromised. This is statistically very likely. As a result, the user's password to our site will eventually be compromised.
- Even if the above does not happen, the user will fall victim to a phishing attack - hence, again, the user's password is compromised.
However, in both cases, if the user's account also requires MFA to login, the compromise impact is limited. The attacker can't do anything with the credentials - rather, they have to look for a way to bypass MFA. As at this point in history most accounts lacked MFA, the cost was just too high for the attacker.
The above is no longer the case. The prevalence of MFA means that it is often worth the attacker's time to try to bypass MFA.
MFA Methods Recap
The common MFA methods include the below - note, not all are supported by every platform.
| Method | Summary |
|---|---|
| SMS | SMS is sent to mobile on file; user must enter code |
| TOTP App | Code is generated by a mobile app or physical token; user must enter code |
| Call | User receives a phone call to their number and must press '#' |
| App Approval | User receives a mobile notification and must approve or deny access |
| FIDO2 | User has a physical token and must unlock and insert it (or have it as part of their device) - token will send the correct auth code if the correct website is visited |
MFA Smash and Grab
MFA "bypass" is defined here as the ability to login to a compromised account that requires MFA - just once.
Repeated access would of course require a repeated successful bypass, which is very inconvenient. Hence, an attacker would want to disable MFA outright or enable some way to bypass it, after the initial access.
The common bypass methods are noted below:
| MFA Method | Bypass Method |
|---|---|
| Call or Notification | Request Flood - bombard the user with calls/access notifications until they give up and approve so they get left alone |
| TOTP/SMS | Reverse proxy phishing page, capture the user's code as it is entered, redirect the user to a fake page |
| TOTP/SMS | Reverse Proxy phishing page, and forward the user's code as it is entered, complete the login, steal the user's cookie |
Note, the first two methods allow for a direct authenticated login from an attacker's device, however they require the attacker to act in real time before the MFA verification expires. Some users may get concerned that they approved access but didn't actually log in.
The last method actually completes a login session so the user is likely less concerned, and as the session cookie is valid for some time, the attacker is not required to act in real time.
Note that FIDO2 is not phishable by these methods as the token will only send the authentication codes to the correct website. Its security benefit is offset by limited support and the harder to manage problem of token loss.
An example of a recent attack that uses a reverse proxy to bypass MFA was recently posted on Dark Reading.
Honourable mentions
In addition to MFA bypasses noted above, some platforms have security design flaws in their MFA implementation. These can include:
- MFA deactivation on password reset by design. While great for the user, it completely subverts MFA.
- MFA recovery attacks: users will lose their MFA device and the provider needs to provide a way for the user to login without MFA.
- Number porting scam (a.k.a. SIM Swap) - social engineering a Telco to port the user's number to an attacker's SIM. This makes MFA the least secure MFA method as no other MFA method allows an attacker to remotely "steal" the MFA device.
Summary
MFA still makes the attacker's work more difficult and costly, and should be used for all users.
Some MFA methods are inherently insecure such as SMS, and should only be used if no other method is supported.
FIDO2 (most popular type being YubiKey) is phishing resistant - use it if you can.
App notification is susceptible to user overload - avoid it until newer versions address this problem.
TOTP App has its flaws but is by far the most supported MFA method without the more glaring security flaws of less secure methods.
In the follow-up post I'll continue this topic and look at some defenses against MFA bypass.