The security benefits of multifactor authentication (MFA) are well-known, yet MFA continues to be poorly, sporadically, and inconsistently implemented, vexing business security managers and their users. Often, MFA users have an extra workflow burden with the additional factors, one of many obstacles to their continued success.

And the frequent news stories that describe innovative ways to circumvent MFA don’t help either, such as recent news of a spear-phishing attack by North Korean-state sponsored group that targeted the Microsoft 365 installations of small businesses. In 2022, we saw Okta hit with a series of attacks that stole its GitHub source code to infect its supply chain, steal user credentials in two separate attacks, and compromise its support portal. Being an authentication vendor, and providing less-than-stellar transparency about what happened in each of these events, shows how hard it is to properly implement MFA.

But it isn’t all gloom and doom. MFA methods have gotten easier to use, thanks to the growth in popularity and sophistication of passwordless approaches. The post-pandemic diaspora — along with US President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity and MFA mandates in 2021 by Google for all of its employees, and most recently Microsoft for Azure sign-ins — have helped motivate IT operations to strengthen their authentication practice, and encourage comprehensive and continuous authentications across all applications. According to one survey, two thirds of ordinary users regularly employ MFA methods, and the proportion of administrators that protect their logins has risen to 90%.

A 2023 KnowBe4 survey of 2,600 IT professionals reveals significant differences in security practices between large organizations and small to mid-sized organizations. While only 38% of large organizations neglect to use MFA to secure their user accounts, 62% of small to mid-sized organizations do not implement any MFA.

Notable MFA threat modalities

Before we discuss the most common hacking techniques, let’s first mention a few of the more notable recent MFA failures. They typically fall into one of three common threat modalities:

1. MFA fatigue or push bombing involves sending numerous authorization requests, typically via SMS push messages, until a user just gives in and approves the request and grants access to an attacker, such as what happened to Uber in 2022. The irony is that the more MFA an organization uses, the more likely an MFA fatigue attack will succeed. Jennifer Golden of Cisco’s Duo wrote in a 2022 blog post “that we have reached a level with MFA where adversaries are incentivized to work around this control.”
2. Attackers also use a combination of social engineering and phishing attacks to disrupt the overall authentication workflow and trick users into giving up their MFA tokens. Changes in user behavior, such as more remote post-pandemic usage and events such as the Olympics, are often exploited by bad actors. Arctic Wolf wrote in a recent blog, “Using social engineering along with an MFA fatigue attack can be effective for threat actors, as it creates a false sense of trust.”
3. Targeting non-MFA users and applications with weak passwords is another common threat modality. While MFA adoption has improved, it still is far from universal, and attackers count on finding those unprotected places and users to target their efforts accordingly. As an example, a few years ago Akira ransomware threat actors were infiltrating organizations using Cisco VPNs that were not configured for MFA, where they could use brute force to obtain user credentials. Going back to the 2021 Colonial Pipeline attack, analysts found it was caused by compromising a single password used on a legacy VPN that wasn’t running any MFA. And perhaps the longest-living application in the poor password department is a feature found in Cisco’s network switches that continues to be exploited, despite warnings from the company that go back to this 2017 blog post.

Common MFA attack methods

While no treatment of MFA weaknesses can be complete, in general there are three categories of MFA attacks.

1. Poor mobile security. Mobile phones are an important gateway into a corporate network, and attackers make use of a variety of methods, such as SIM swaps. This is where an attacker can convince a customer service employee at a telecommunications provider that they are the legitimate phone owner and then use SMS to access authentication messages. There are other methods, such as attacks on the cellular provider networks themselves.
2. Compromised MFA authentication workflows. The average modern authentication workflow is complex: users can arrive at an application via a web portal, a smartphone app, or through an application program interface. They can connect via a variety of endpoints, through a local network or a VPN, running different operating systems. That all means testing out MFA has to take into account this grab bag of circumstances, and the opportunity for supply chain issues and man-in-the-middle or man-in-the-browser attacks that intercept the MFA codes loom large.
3. Compromised cookie attacks, such as pass-the-cookie and stolen session cookies. This happens because numerous websites don’t enforce session inactivity time limits, thereby giving attackers the ability to bypass MFA by using these stolen cookies. KnowBe4 has an extensive presentation slide deck that goes into further details.

Strategies to stop MFA attacks

Given all these exploits, MFA needs tender loving care and attention to detail to deliver the security goods. Certainly, there is no excuse for delivering subpar user experience, especially given the better toolsets available. Here are a few suggestions on ensuring your MFA strategy will be successful.

First, understand the resources you want to protect from compromise. “For example, cyber threat actors often target email systems, file servers, and remote access systems to gain access to an organization’s data, along with trying to compromise identity servers like Active Directory, which would allow them to create new accounts or take control of user accounts,” according to this CISA fact sheet.

CISA recommends that you consider systems that support FIDO protocols for the first recipients of MFA protection. This includes using hardware keys for the most sensitive applications. The FIDO Alliance has published a series of white papers on how enterprises can best implement these methods, and RSA has this deep dive on the subject that is worth reviewing too.

Next, all authentications should be risk-based and dynamically step up security requirements automatically based on what users are doing at any given moment. The old ways of using a single access control when a user logs in need to be replaced accordingly. There are a number of authentication products that couple MFA into their adaptive authentication processes.

A companion piece to this should be a careful assessment of access rights. IT security staff should “ensure employees only receive access to limited data needed to accomplish their job responsibilities,” writes Abnormal Security in a blog post. All too often, users are provisioned access without any subsequent auditing or reduction in these rights.

All these points should be part of an overall MFA workflow analysis, which really isn’t anything new. Gerhard Giese from Akamai points this out in a 2021 blog post, when he talks about how MFA doesn’t always prevent credential stuffing. He says IT managers need to “re-examine your authentication workflows and login screens to make sure an attacker cannot uncover valid credentials by interrogating the web server’s response and implement a bot management solution to make sure you are not making things easier for the bad guys.”

One aspect that seems to get historically neglected is the password reset process, which is why it is a common target of attackers. “Surprisingly, there are many websites that don’t have a second layer of verification for their 2FA reset password process, or, they offer MFA but do not enforce users to employ it,” says Mitnick Security in this blog post from April.  

Finally, you should assess and locate users who might be high-value targets. “Every organization has a small number of user accounts that have additional access or privileges, which are especially valuable to cyber threat actors,” wrote CISA in its report. Examples include IT and system administrators, staff attorneys and HR managers. Consider these groups for an initial rollout phase of your MFA project.

MFA technology should be a part of corporate security’s critical infrastructure. Recent attacks, as well as urging from experts across government and the private sector, should provide further impetus for intelligent implementations.