Can Hackers Beat Multi-Factor Authentication?
For the last few years, cybersecurity experts have urged businesses to adopt multi-factor authentication (MFA) as a defense against cyber threats. It is sound advice since MFA does make it harder for hackers to gain illicit access to protected systems. Harder — but not impossible.
It turns out there are many ways hackers can evade or compromise the authentication protection provided by MFA. Therefore, we are offering this guide to the common attack vectors used to defeat MFA. We’ll begin by discussing what MFA is, how hackers can compromise it, and actions business organizations can take to resist such attempts.
What is Multi-factor Authentication?
Multi-factor authentication refers to a means of controlling access to a digital system by requiring more than a single identifying point. In practice, this typically means requiring a user to enter a username and password combination, followed by a second identifier. The most common second factor in use today is a one-time password (OTP).
The OTP might come in the form of a time-limited PIN sent to a user’s cell phone via SMS. Alternatively, an authenticator app could generate a PIN based on a shared cryptographic secret. The idea is to verify that the user is who they claim to be by verifying that they are in possession of the smartphone or device registered with the MFA system.
There is an obvious flaw in the way that MFA adds the extra security to a protected system. For example, what if a user loses their smartphone? If they have neglected to encrypt their device or to set up a locking mechanism, anyone that finds it could use it to hijack connected accounts.
Unfortunately, that is not the only way that a hacker can potentially compromise a system protected by MFA. Here are some of their other methods of choice.
According to the latest Verizon Data Breach Investigations Report for 2022, phishing attacks played a role in almost 20% of successful data breaches last year. It is important to note that those statistics came at a time when 56.8% of business organizations reported the use of MFA to protect their systems.
The fact is that phishing attacks are just as effective against MFA systems as they are against password-only authentication. The typical attack follows a predictable pattern. First, an attacker tricks a user into divulging their password via a false email or deceptive webpage. Then they inform the user that their password needs changing and that they’ll need to input an OTP to allow it to proceed.
In reality, the attacker has not initiated a password change. They’ve instead started the login process using the stolen password and tricked the user into giving them a valid OTP to proceed with their login. The result is that the attacker gains unfettered access to the targeted user’s account.
Another way that hackers commonly break through MFA security is through the use of Man-in-the-Middle (MITM) attacks. In a MITM attack, the hacker begins by finding a way to infect a user’s device with malware that can monitor their behavior and the data traffic coming from the device. This is often done by tricking the user into downloading an infected app or visiting a compromised webpage.
Then, all the attacker needs to do is sit back and wait for the user to log in to a targeted system, which allows the attacker to intercept the user’s password and OTP code. By acting within the time limitations of the OTP, they can impersonate the legitimate user and gain access to the targeted system.
MITM attacks are fast becoming the method of choice for hackers seeking access to systems protected by MFA. Recent research revealed that more than 1,200 MITM toolkits exist in the wild, giving hackers countless options in their efforts. Worse still, a device compromised by a MITM toolkit gives a hacker complete access to everything on that device — possibly putting multiple protected systems at risk.
SIM Swap Attacks
Text message-based OTP systems make up a significant number of the MFA solutions businesses rely on. Unfortunately, they are easy prey for hackers. That is because it is easy to duplicate the Subscriber Identity Module (SIM) cards smartphones use to connect to cellular networks or convince the carrier to change the SIM card using social engineering.
This means an attacker can create a duplicate of a user’s cell phone, which can then receive every SMS message sent to the original. It is called a SIM swap attack, and it is quite effective against SMS-based OTP MFA systems.
This is one of the primary reasons that SMS OTP authentication is no longer recommended as an MFA standard by agencies like the US’s National Institute of Standards and Technology (NIST). According to their latest digital identity guidelines, organizations should already be moving away from SMS-based OTP authentication and toward other, less vulnerable MFA methods.
If MFA isn’t Safe, What is?
Given the vulnerabilities of MFA highlighted above, it is only natural to wonder if there is a suitable, secure alternative to it. The answer to that question — at least for right now — is no. There are, however, some MFA methods that aren’t as vulnerable as others.
One of the least-vulnerable types of MFA is the use of Universal Two-factor (U2f) hardware security keys. They are small hardware encryption devices that users can carry with them. Some communicate with other devices via NFC or Bluetooth connections, while others rely on one of the various flavors of USB. Some even include fingerprint scanners for an additional layer of security.
The benefit of U2f hardware security keys is that they are un-phishable. There is no code for a user to divulge, and there is no display that indicates which systems a given key can unlock. That also means that a lost key is not much of a security risk since it is unlikely that anyone could identify its owner, or what it is configured to access.
The Future of MFA
MFA isn’t fool proof, and businesses shouldn’t treat it as such. While it is better than a simple username and password-based authentication system, it only offers a small measure of additional protection. However, in the absence of a better solution, businesses would be well-served by exploring the use of U2f hardware security keys. They are not as vulnerable to traditional MFA attack vectors, and therefore are the best MFA solution on the market today.
It is also prudent to continue watching developments in the authentication space. Multiple tech heavyweights such as Microsoft, Apple, and Google, are already hard at work designing a successor to today’s MFA technologies.
Of course, Outsource IT can help businesses stay on top of the latest cybersecurity threats. Our team of experts can provide advice on the best way forward, and even implement security solutions based on tried and proven IT best practices. Contact an Outsource IT account manager to find out how we help businesses secure their digital assets against today’s — and tomorrow’s — biggest threats.