Top 7 MFA Bypass Techniques and How to Defend Against Them

Multi-factor authentication (MFA) is a fundamental component of best practices for account security. It is a universal method employed for both personal and corporate user accounts globally. Traditionally, this approach to authentication delivers a unique code to a user's email or phone, which is then inputted following the account password. But that is not the full story; there are numerous other variations of MFA that I will delve into in this article.

While MFA adds an extra security shield to accounts, deterring most cybercriminals, determined attackers can find ways to sidestep it. By understanding hackers' common techniques to circumvent MFA, you can better safeguard your account against their potential ploys.

Popular types of MFA

Again, multi-factor authentication serves as a supplementary layer of authentication, complementing the conventional use of a username and password when accessing an account. The verification process for MFA can be configured in a variety of ways to confirm account ownership, which can be tailored based on the system's requirements or user preferences.

SMS-based MFA

MFA via SMS (i.e., text messages) is an authentication method that entails users providing their phone numbers during their profile setup. Subsequently, for each login attempt (or the first for a new device), users are prompted to input a one-time verification code (also known as a One-Time Password or OTP). This code is sent directly to the user's phone via a text message.

Given the ubiquity of SMS-enabled mobile phones and the fact that no additional applications are needed for this method, it is likely the most prevalent authentication method. However, MFA via SMS is not without its issues. Challenges may arise when the network signal is unavailable, or the phone encounters performance problems.

Voice call authentication

This authentication method leverages the use of phone calls to the user's device. When accessing a mobile application, typically, the mere act of placing the call suffices for the application to automatically authorize the entry. However, some services have designed their MFA via phone call such that the user is required to pick up the incoming call, listen to a code read aloud by an automated system, and subsequently input this code into a provided form. Some variants of this authentication method necessitate entering the last three or six digits of the incoming phone call number.

MFA via email

Multi-factor authentication via email operates similarly to its SMS counterpart, but instead of receiving a one-time verification code via text message, it is sent to the user's registered email address. In some cases, instead of entering a code, the user is asked to click on a unique link that grants access to the account.

It is important to note that MFA via email requires an internet connection to retrieve the email. However, this is not a significant disadvantage given the prevalence of internet access in our modern world. What could be an issue, though, is the tendency for these emails to be classified as spam, making the authorization process potentially more time-consuming as the user has to sift through their spam folder to find the email.

Authentication apps

The Time-based One-Time Password (TOTP) verification system requires users to download a specific app, such as Google Authenticator, on their mobile device. When attempting to access a portal using a new device, users are instructed to launch the authentication app on their smartphones. This application generates a temporary, one-time code that is typically six to eight digits long and refreshes every 30 seconds. Once the user enters this code in the appropriate field, they gain access to their account.

Hardware MFA keys

This method utilizes physical devices for verification, such as a USB flash drive plugged into a computer, an NFC card, or a TOTP key fob that produces an authorization code every 30 or 60 seconds. Using hardware keys does not involve the need for an internet connection. This makes them one of the easiest and most secure MFA approaches. However, purchasing and maintaining such devices for each user may be expensive for businesses. Additionally, if the user must carry this key, there is also the added risk of it being lost.

Top 7 techniques to sidestep MFA

1. Social engineering

Social engineering represents a non-technical strategy where an attacker manipulates a victim into unintentionally revealing crucial information, such as a secret code. In cases where the attacker already possesses the victim's username and password, they might call or message the victim, spinning a convincing tale that persuades them to disclose their MFA code.

In other scenarios, the attacker may already have sufficient details about the victim needed to contact the targeted service's customer support desk posing as them. The criminal can impersonate the user, claiming their account is locked or there is an issue with their authentication application. If they are successful, the attacker can gain one-time access to the victim's account or, if they are particularly fortunate, reset and change the user's password entirely.

2. Abusing OAuth

OAuth protocol permits apps and services to retrieve user information on a restricted scale without the need to reveal the user's password. For instance, to log into an application, you might grant partial access to your Twitter or Facebook account. As such, the chosen application receives some degree of account authority; however, it does not retain any information associated with the user's passwords.

In a tactic known as Consent Phishing, a cybercriminal masquerades as a valid application with OAuth authorization and dispatches an access request. If the victim approves this access request, the attacker can act at will within the granted scope of access.

3. Brute-force attack

Some attackers opt for a brute-force method, mainly when dealing with outdated or inadequately protected hardware. For instance, some older TOTP key fobs only have four digits, making them substantially easier to crack.

A deterrent for hackers is the fact that the one-time codes generated by these key fobs have a limited validity period (typically 30 to 60 seconds). Consequently, attackers have a narrow window of opportunity to sift through the potential codes before they are refreshed.

4. Leveraging pre-generated tokens

Certain platforms offer users the option to generate MFA codes in advance. Take, for instance, Google's account security settings which allow you to download a list of backup codes intended for future use. This feature is typically utilized in scenarios where the authentication device is lost or inaccessible. However, should this list or even just one of the backup codes fall into the wrong hands, the attacker would have unimpeded access to the account, despite the active MFA.

5. Session hijacking

Session hijacking (or cookie theft) can allow attackers to access an account without requiring any knowledge of MFA codes or even passwords. When users visit a website, they do not need to input their password every time due to a session cookie stored in the browser. This cookie carries user information, maintains authentication, and tracks all activity within the session. As long as the user does not manually log out, these session cookies persist in the browser. Therefore, a potential attacker can manipulate this cookie to gain access to the user's account.

Cybercriminals use several methods to hijack accounts, including cross-site scripting attacks, malware deployment, etc. Moreover, crooks may use special rogue frameworks to execute man-in-the-middle (MITM) attacks. Utilizing such frameworks, the attacker sends a phishing link to the user, which reroutes them to the login page of a legitimate website, albeit through a malicious proxy. When a user logs into their account using MFA, hackers intercept their login credentials and the authentication code.

6. SIM swapping

A SIM swap attack involves a situation where perpetrators manage to obtain total control over the victim's mobile number. Criminals might gather a set of basic user data and impersonate the user at the cell phone service provider's store to obtain a new SIM card. Additionally, SIM swapping could occur through spy apps installed on the target's phone.

Gaining control over a user's phone number means the hacker can intercept one-time codes delivered via SMS. Given that this is the most commonly used MFA method, an attacker can potentially breach all of the victim's vital accounts sequentially and gain complete access to essential data.

7. Clickjacking

Clickjacking is a devious technique where an attacker tricks a user into unknowingly turning off their MFA protection. Using an infected device or rogue website, the attacker overlays an invisible iframe containing the MFA disabled interface with a harmless-looking button. When the unsuspecting user clicks on the harmless element, they are interacting with the hidden iframe, consequently disabling their MFA.

Securing MFA: enhanced measures

Even with the risks posed by hackers, multi-factor authentication remains a highly-recommended method for safeguarding online accounts. Here are some ways to fortify your MFA:

• Whenever possible, opt for using authenticator applications over standard SMS authentication. These apps offer enhanced security as they do not reveal the one-time code without granting full access to the smartphone.
• Always refrain from sharing one-time security codes with others.
• When possible, use lengthy security codes with more than six characters (provided the service supports such a configuration).
• Avoid using simple, easily guessable passwords. Instead, use a password generator and manage your passwords with a secure password manager.
• Avoid using the same password across multiple accounts.
• Regularly update your software.
• Consider using physical security keys as an alternative authentication method.
• Educate yourself about common social engineering tactics to prevent falling victim to such scams.

Organizations can take the following measures:

• Regularly educate your employees about MFA, its benefits, and the potential risks and attacks like social engineering, SIM-jacking, and phishing.
• Use the strongest form of MFA available, preferably a mixture of something the employee knows (password), something the employee has (authenticator app or security token), and something the employee is (biometric data).
• Implement security systems to monitor suspicious activity, such as multiple failed login attempts, unusual login times or locations, or multiple simultaneous logins.
• Use the principle of least privilege, giving employees only the access they need to perform their jobs.
• Have a secure process in place for resetting MFA if the second factor is lost.
• If an account gets compromised, have a clear response plan to mitigate the damage. This could involve immediately locking the account, investigating the breach, and informing the affected parties.

Despite the potential vulnerabilities and bypass methods discussed in this article, MFA remains a highly-effective strategy for securing accounts. By adhering to the guidelines shared above, you can minimize the likelihood of attackers compromising your account.