For a long time, multi-factor authentication (MFA) has been considered one of the best ways to protect an organization’s assets. So much so that in 2019, Microsoft released an article stating that MFA would prevent 99.9% of attacks on accounts.

Nowadays, while MFA is still a key aspect of cybersecurity for business as well as personal use, it is the not the cure-all that it once was. Bad actors have adapted their tactics and found ways to work around MFA security measures.

Why is MFA not Enough Anymore?

Multi-factor authentication uses a combination of multiple factors to assist with proving you are who you say you are. These factors include:

  1. Something you know – This is usually a password.
  2. Something you have – This can be using your phone to receive an SMS text, an authenticator app, etc.
  3. Something you are – This is usually a physical characteristic like a palm scan or a retina scan.

To have true multi-factor authentication, there must be at least two separate factors used in conjunction. For example, this might look like using a password alongside an authenticator app. In this scenario, a user would sign into their account with their username and password and then receive a prompt to either accept a push notification or enter a code to access the desired resources.

Recently, however, threat actors have adapted their tactics to work around the MFA workflow, meaning these standard MFA practices are no longer enough to protect users and their data.

What are Threat Actors Doing?

One of the tactics threat actors have been using is an AiTM framework, or an attacker-in-the-middle framework. Under this approach, the attacker inserts a fake landing page in between the user and the legitimate application. For example, they will pass a fake landing page to the end user for Office365 utilizing a phishing email. When the user enters their credentials and accepts the push or enters the MFA code, the attacker obtains both pieces of key information and can hijack the session.

Another tactic threat actors utilize is stealing session cookies from your browser. If you are authenticated to your email or other sensitive sites, the threat actor can use malware to steal your sessions and gain access to your personal data. SIM-swapping attacks are also common and take place when a threat actor social engineers your mobile carrier to allow them to swap their controlled SIM card with yours. From there, they can gain access to your number to steal any sort of MFA codes that may be sent via text message.

One of the more frequent attacks that Dean Dorton’s Cybersecurity team has observed among major corporations is “MFA fatigue”. This is when a threat actor gains access to your credentials either through phishing or other means (data breaches, password guessing, etc.) and then sends MFA pushes to your device until you are bothered enough that you accept it.

What Can We Do?

There are a few approaches you can take to further secure your MFA.

  1. Utilize more phish-resistant MFA methods. This could be by utilizing a hardware token, such as a YubiKey, or using additional challenges along with the push notification based off risk. An example of this would be Microsoft’s Number Challenges for high-risk sign-ins in which before the authentication is established, the user must provide a number populated on their screen to their device to sign in.
  2. Avoid using text messages as an additional factor if possible. SIM swapping attacks can occur rather easily and text messages are not an ideal and secure method for MFA codes.
  3. Ensure all devices are protected with endpoint security software to avoid malware-based attacks.
  4. If experiencing excessive MFA requests that you did not initiate, continue to deny them, change your password immediately and if there is an option in your authenticator software, report the attempts as fraudulent.

If you have further questions and need assistance with evaluating your current MFA solution, please reach out to Dean Dorton’s Cybersecurity Experts today.