Is Multifactor Authentication (MFA) Living Up to Its Hype?

Multifactor authentication is becoming table stakes for cybersecurity—cyber insurers require it, enterprise security managers plan to spend more on it, and even though MFA can annoy users, most recognize it helps protect their accounts. Indeed, Microsoft says the two-step verification method can block more than 99.9% of attack attempts, and Google puts the success rate at 76% to 100%.

So, what’s not to like?

Well, as with most security countermeasures, hackers are increasingly finding devious ways to get around MFA.

Use benchmarking to compare how you rank against industry peers with a single, accurate, impact-based view of risk.

“Hackers will always adapt, and I’m not yet convinced MFA—even in the long term—will be the panacea that most people believe it will be,” says Roger Grimes, a cyberdefense analyst for KnowBe4, which provides security awareness training. “MFA is being sold as this very, very secure solution that will fix everyone’s hacking problems . . . and it’s simply not true.”

To be clear, experts like Grimes say MFA—requiring the username and password plus a temporary code or key sent to a user’s device—is still one of the most effective verification methods, and should be a part of any endpoint security strategy. And newer forms of MFA based on a framework called FIDO2 use cryptographic login credentials to minimize the risk of phishing, password theft, and replay attacks. What’s more, the framework makes it possible to use innovations like fingerprint readers, cameras, and security keys as part of the process.

But most organizations still rely on older SMS-based approaches—as in short message service, or text messaging—and these are the systems that hackers have been targeting with increasing success.

They’re doing this in a few ways, including: through social engineering; by capitalizing on flaws in the ways one-time codes are sent to users; and by leveraging dormant Microsoft accounts to gain access to public and private networks.

How MFA succumbs to social engineering

One of the more common tactics is known as an MFA fatigue attack. Also called MFA bombing, this exploit involves an attacker flooding an end user’s device with repeated prompts asking to approve a login attempt. It essentially works by catching someone off guard or by tricking them into believing they need to approve an authentication request.

Employees need to treat MFA authentication requests with a heightened level of suspicion [as if] someone were to come to the front door and ask for credit card information.

Last September, the infamous hacking group Lapsus$ used MFA bombing to breach the rideshare app Uber. Uber said the cybercriminals obtained VPN credentials from an external contractor, most likely buying them on the dark web, then repeatedly tried to log in to the user’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker was able to log in, Uber said. From there, the attacker accessed other employee accounts and gained elevated access to several tools, including G-Suite and Slack.

While the attacker was able to post messages to the companywide Slack channel, Uber said it didn’t believe the attackers accessed personal customer data or made changes to source code.

In a recent Beyond Identity survey, 62% of users said they’d endured an MFA bombing, and nearly one in 10 never regained access to an account that had been locked after these attacks. The report said the top five MFA account types hit with this tactic were banking (62%), Facebook (45%), Instagram (39%), cryptocurrency (36%), and Twitter (34%).

3 ways to defuse MFA fatigue attacks

To reduce the potential for a successful MFA attack, experts recommend a few steps:

1. Tighten MFA parameters: BeyondTrust recommends optimizing the configuration of your MFA authentication processes by: reducing the window of time between factor authentications; limiting the number of allowed unsuccessful access attempts during a certain timeframe; adding geolocation or biometric requirements; increasing the number of factors required for access; and flagging excess log-in attempts for a security analyst. Other experts suggest limiting or disabling MFA request push notifications.

[Read also: MFA may have its flaws, but it’s still better than passwords, which Bill Gates warned us about nearly 20 years ago]

2. Train your staff: Chris Prewitt, CISO of Inversion6, recommends ongoing training for your staff to ensure they know about the MFA fatigue attack exploit—and what to do about it.

“Employees need to treat MFA authentication requests with a heightened level of suspicion,” he says. “If someone were to come to the front door and ask for credit card information, most people wouldn’t give it. But online, we seem to be a little more open to clicking on things and sharing information we shouldn’t, which needs to change.”

3. Enforce least privilege: Another step is to restrict access rights for individuals, accounts, and machines to only what’s needed by that user. This way, MFA fatigue attacks struggle to gain broad access to accounts or data. They’re basically stopped near their points of entry.

MFA attacks that capitalize on SMS flaws

Another way hackers can get around MFA is by outsmarting the SMS one-time code approach itself.

No security, when done badly, is the answer.

Most experts agree that basing the second factor of MFA on SMS authentication isn’t that secure because hackers are pretty good at using spoofing and phishing to intercept and read SMS messages. They also use a social engineering scam called SIM swapping, where they gain personal information on you, contact your wireless provider, give them some phony story about a lost or stolen phone, and talk them into porting your old number to a new phone they control. Once done, they can intercept SMS messages, including MFA codes. There’s even a technique called “SMS smishing,” which is a phishing attack launched via text.

Grimes notes some MFA solutions have been getting better at countering phishing or smishing attempts and says “everyone should be using phishing-resistant MFA when they can to protect valuable data and systems.” But he warns, “at best, even good MFA only stops maybe 30% to 50% of today’s attacks.”

[Read also: There’s phishing, smishing, and now “vishing,” an on-the-rise form of assault in which brazen scammers try to trick you over the phone. Don’t fall for it]

For their part, Microsoft and other industry leaders urge companies to move away from telephone-based MFA, which they call “the least secure of the MFA methods available today,” and instead use security keys or authentication apps. Microsoft even announced plans to improve two-factor authentication in Windows 11 by adding a number to the second-factor code sent from its Microsoft Authenticator app. The feature is still being tested. Twitter has similarly notified people who don’t subscribe to its paid Twitter Blue service that it will stop sending texts with login codes after March 20. The company encouraged non-paying users to utilize free authentication apps or security key methods.

“I think this is a great step in the right direction,” says Prewitt. “SMS has been under attack for a long time.”

Using MFA to attack MFA? Meet the dormant account takeover

One of the sneakier ways hackers can get around MFA is by taking over dormant Microsoft accounts. Mandiant, a cybersecurity company, says it recently observed a trend where hackers, including the Russian espionage group APT29, take advantage of the self-enrollment process for MFA in Azure Active Directory and other platforms.

In one case, APT29 apparently conducted a password-guessing attack against a list of mailboxes they had somehow obtained. They successfully guessed a password to an account that had been set up but never used. Because it was dormant, Mandiant says Azure AD prompted APT29 to enroll in MFA, and once that happened, the hacking group was able to access VPN infrastructure that was using Azure AD for authentication and MFA.

[Read also: Business email compromise attacks are yet another (increasingly lucrative) way hackers are tricking employees into wiring them money]

To counter such exploits, Mandiant recommends ensuring all active accounts have at least one MFA device enrolled and working with your platform vendor to add additional verifications to the MFA enrollment process.

John Pescatore, director of emerging security trends for the SANS Institute, says most MFA bypass attacks like these have one thing in common: They rely on poorly implemented processes vs. directly compromising the MFA solution.

“No security, when done badly, is the answer,” he says. “But strong security controls like MFA, privilege management, application control and rapid patching, and penetration done by a skilled staff has enabled many companies to avoid major damage from cyberattacks—without impacting business.”