16/05/2024

Multifactor Authentication: Great tool with some limitations

Great tool with some limitations Social engineering

Multifactor authentication (MFA) stands as a stalwart defence in today’s cybersecurity landscape. Yet, despite its efficacy, MFA is not impervious to exploitation. Recognizing the avenues through which hackers bypass these defences is crucial for fortifying cybersecurity measures. 

Advantages of MFA

Let us first reiterate where the good things about MFA really come into their own. Multi-factor authentication (MFA) offers several advantages over traditional single-factor authentication methods: 

  • Improved security: MFA adds an extra layer of security by requiring users to provide multiple forms of verification, typically something they know (like a password) and something they have (like a smartphone for receiving a verification code or a physical security token ). 

  • Reduced risk of unauthorized access: With MFA, even if a hacker manages to obtain a user's password, they would still need the additional factor (such as a code generated on a trusted device) to gain access. This makes it much harder for unauthorized individuals to breach accounts. 

  • Mitigation of credential theft: MFA helps mitigate the risk of credential theft through methods like phishing or brute-force attacks. Even if attackers acquire a user's password, they would still need the second factor to successfully authenticate. 

  • Compliance requirements: Many regulatory standards and industry best practices require organizations to implement MFA to enhance security and protect sensitive information. Adhering to these requirements helps organizations avoid penalties and maintain compliance. 

  • User-friendly: While additional steps may seem burdensome at first, many MFA implementations are designed with user convenience in mind. Methods such as push notifications or biometric authentication can provide a seamless and user-friendly experience while maintaining security. 

  • Adaptability and flexibility: MFA can be implemented across various platforms and devices, making it adaptable to different environments and user preferences. Whether accessing corporate networks, cloud services, or personal accounts, MFA can enhance security across the board. 

  • Early threat detection: Some advanced MFA systems incorporate behavioural analytics and anomaly detection. These features can help identify suspicious login attempts based on factors such as unusual device locations or access patterns, allowing organizations to respond to potential threats more quickly. 

Overall, MFA is an effective strategy for bolstering security in an increasingly digital and interconnected world, providing a critical defence against a wide range of cyber threats. Given those benefits if is suprising how little adaptation the technology has found across the board. 

Circumventing MFA

However, having sung its praise, we should also take close a look at where the limitations of this technologies lie. Attackers can bypass MFA with some tried and tested techniques. Sure, a 90 % success rate in thwarting attacks may sound like excellent news. Which it is. But this still leaves a significant room for exploitation, given the scale of cybercrime. Even if 90 out of 100 attacks end up fizzling out – that leaves 10 attacks that still succeed despite the boost in security.  
Here are several tactics cybercriminals employ to sidestep MFA: 

  • Brute Force: Though MFA mitigates traditional brute force attacks, the vulnerability lies in brute-forcing verification codes. Especially susceptible are MFA systems employing short, one-time passwords (OTPs), which contemporary cracking tools can decipher swiftly. 
  • Phishing remains a perennial favourite among hackers due to its effectiveness. By deceiving users into divulging sensitive information, including authentication details, hackers can circumvent MFA. Whether through fraudulent emails or imitation login pages, unsuspecting users unwittingly surrender their MFA codes. 
  • SIM Swapping: Leveraging SMS verification, hackers can compromise MFA by gaining access to users' mobile devices. Through SIM jacking, where spyware is installed via malicious texts, or SIM swapping, where hackers impersonate users to acquire a new SIM card, cybercriminals intercept SMS verification messages.  
  • The most problematic and effective, the MFA Fatigue attack: Exploiting MFA fatigue involves inundating users with successive push notifications, leading to inadvertent authentication approval out of frustration. Capitalizing on human fallibility, cybercriminals exploit users' tendency to err under pressure. Microsoft saw more than 382,000 attacks in 2022 due to MFA fatigue attacks. Also in 2023 and 2024 we didn’t see a lot of improvement. 
  • Session Hijacking: While less prevalent, session hijacking intercepts user activity via man-in-the-middle attacks, enabling hackers to pilfer session cookies containing MFA credentials. Despite these cookies auto-erasing upon logout, interception before termination grants hackers unfettered access. 

Enhancing MFA defences

  • Utilize Robust MFA Methods: Choose for stronger verification techniques such as biometrics or hardware-based MFA, which combines PINs with physical tokens. Hardware-based solutions, requiring both PINs and physical devices, offer heightened security, rendering simultaneous compromise improbable. 
  • Monitor/restrict login attempts: Employ mechanisms to monitor and curtail login attempts, including location-based verification and limited retry allowances. Vigilant oversight enables prompt detection of suspicious activities, pre-empting unauthorized access. 
  • Install time-based OTPs: Employ time restrictions on OTPs to thwart brute-force attacks. By limiting the validity period of OTPs, the window for exploitation is minimized, albeit not eliminated. 

Acknowledging Imperfections

While indispensable, MFA alone cannot guarantee impregnable security. If the authentication mechanism, however strong and well-designed it might be, is doing all the heavy lifting, then issues are going to crop up. Augmenting MFA with robust access controls is imperative to fortify organizational defenses against evolving cyber threats. 

Fight social engineering: Mitigate phishing threats through comprehensive employee training initiatives. Equipping staff with the skills to discern and report phishing attempts diminishes the efficacy of social engineering tactics. This is where a good cybersecurity training is able to truly shine. 

By comprehensively understanding MFA vulnerabilities and implementing proactive countermeasures, organizations can fortify their cybersecurity posture and safeguarding critical assets against malicious exploitation. The last word about MFA hasn’t been said. Let’s see how robust MFA will be against future attacks.