MFA Deep Dive

What is MFA and how are attackers getting around it?

The Weekend Byte is a weekly overview of the most important news and events in cybersecurity and AI, captured and analyzed by Jason Rebholz.

It’s a special edition of the WeekendByte today! Why? Because I’m writing this from the past. Ohhh, time travel, how fun! I’m taking a few weeks off to recharge, but I can’t leave you empty-handed this week.

So put down your pumpkin spiced flavored whatever. We’re getting back to basics!

Today, we’re covering multi-factor authentication (MFA): what it is, what it isn’t, and, most importantly, how attackers bypass our favorite security control.

You won’t find my newsletter next weekend because I’ll be in recharge mode. Don’t worry, though. We’ll be back to our weekly schedule on October 19th. Until then, keep learning, nerds.

-Jason

Knowledge Deep Dive
What is Multi-Factor Authentication?

Let’s start with the basics. Multi-factor authentication (MFA) is an authentication method that requires a user to provide two or more verification factors to gain access to a resource, such as an online application or website.

The most common “factors” are:

  • Something you know: a password or a PIN

  • Something you have: Your phone or a security key

  • Something you are: Biometrics, like a fingerprint or your face

Traditionally, the first factor is the password for the user account. Those are table stakes for any online account. The “multi-factor” part is what most people commonly think of the term MFA lives. It’s the extra layer of authentication.

The key here is that you need more than one factor. If you use two things you know, it isn’t true MFA. At least not how it was intended. For example, if you have a password and a PIN, I think of that as 1.5FA. It’s better than just one thing you know, like a password, but it’s leaving a lot to be desired because a crafty attacker can socially engineer you into giving up both things you know.

There are three prevalent types of MFA used today.

One-Time Password (OTP): Quite literally, it’s an additional password you use only once. This commonly appears as a text message or email containing a series of numbers you use as the OTP. In this form, the second factor is your phone or desktop to receive the text or email.

Or, it comes in the form of an MFA application on your smartphone with a time-based-one-time password (TOTP). This is a series of digits only valid for a predetermined time, usually 30 - 90 seconds. When the timer is up, it displays another TOTP valid for another 30 - 90 seconds. Similarly, the rotating code must be displayed on either a hardware dongle (like the old-school RSA tokens), a mobile application on your phone, or a password manager.

Push-based: Specific to MFA mobile applications, push-based MFA is meant to make users’ lives easier by just approving a login. When you log into an application, you are prompted on your phone to allow the authentication. The second factor here is your possession of your mobile device.

This can be paired with more security features. For example, it can include number matching. When you log into your application and are prompted for the second factor, it displays a number on the screen, which you have to either type or click on the mobile application. Additionally, some MFA applications can be configured to include information on where the login request is geographically coming from so you can spot unusual logins before you click approve.

FIDO-Based Authentication: Short for Fast Identity Online 2, FIDO2 is an open standard for authentication that uses public/private key cryptography. It relies on having a physical device to store the private key, which only you have (hence the other factor). The device could be a physical key (like a Yubikey), phone, or laptop.

This is considered the most secure method because the keypair is unique to the legitimate website when you establish a public/private key pair with the application you are setting up MFA with.

For example, let’s say you set up your Gmail account with a Yubikey. A keypair is created that matches your Yubikey with the google.com domain and your user account. If an attacker tries to trick you into logging into a fake Gmail account on another domain, like gmails.com, you won’t be prompted for the Yubikey because you never set up a Yubikey with that website. The attacker might be able to get your password, but they wouldn’t be able to log in because they would need your Yubikey!

Knowledge Deep Dive
MFA Bypass Attacks

Now that we know about the types of MFA, let’s talk about their weaknesses.

Let’s assume the attacker has already taken steps to steal your username and password, which is the first factor in a login. This is pretty easy these days with social engineering, whether it’s phishing or smishing. Or, for users who reuse passwords on multiple sites (shame), it’s not uncommon for those credentials to be leaked in other data breaches. Crafty attackers can snag those and skip to bypassing MFA.

Below are the most common MFA bypass attacks. I cover these in my YouTube video. If you like tacos or need a break from reading, check out a more visual representation of how these attacks work.

Social Engineering: Ask, and you shall receive. Attackers can trick you into giving up your OTP or TOTP. This can be as basic as someone calling you and tricking you into giving up your code or OTP Bots that coordinate the login with an automated call and have you type in your OTP.

In the case of the hack that took MGM Grand down, the attackers just called the help desk and impersonated an IT admin. They had the help desk reset the user’s password and the MFA on the account to an attacker-controlled device.

SIM Swap: This involves transferring your phone number to an attacker-controlled device, so it only impacts SMS MFA. It requires more work, so it’s often seen in more targeted attacks. It may involve an insider at a mobile carrier who will switch the phone numbers for the attacker or attackers can attempt to use social engineering to trick mobile carrier employees into switching the phone number.

After the attacker has control over your phone number, they can log into the application, and the OTP will be sent to their device because they now “own” your phone number.

This is the most common type of MFA bypass that Coinbase, a massive cryptocurrency exchange, observes with its users.

MFA Fatigue: This is specific to top push-based authentication. An attacker logs into an online application with stolen credentials, and the legitimate user is prompted on their phone to allow the login. If the user accepts right away, the attacker wins. If the user doesn’t respond or clicks “no,” the attacker continues to log into the application, prompting more MFA approval requests from the user. The hope is that the user will become annoyed and approve the MFA request, allowing the attacker to finish authenticating the online application.

Attacker-in-the-Middle (AiTM): This is just another form of social engineering. It relies on phishing to trick users into logging into what they think is a legitimate application. It works like this:

  1. The user receives an email prompting them to log into Microsoft 365. The login page is a phishing website that looks identical to the Microsoft 365 login.

  2. The user types their username and password into the login prompt. The phishing site forwards that to the legitimate Microsoft 365 service to initiate the MFA prompt.

  3. If the MFA prompt uses an OTP, the user is prompted for it and then types it in, which the phishing website again forwards to the legitimate Microsoft 365 to complete the login.

  4. If the MFA prompt is a push-based login, the user is prompted on their device, which allows the login.

  5. After the successful login, Microsoft 365 returns a session cookie that the attacker steals. This session cookie is like a hall pass telling Microsoft 365 that the user is already authenticated and can access resources.

  6. The attacker inserts the session cookie into their browser and can now impersonate the user.

This is automated through phishing kits, making it easy for the attacker to execute. FIDO2 MFA is the only thing that won’t be impacted here because your MFA won’t be tied to the attacker’s phishing page.

Malware: When a user authenticates to a legitimate application, the session cookie referenced above is stored in their browser. Depending on how long that session cookie is good for (usually a long time…just think about the last time you had to log into your email account), all an attacker has to do is steal it.

Infostealers specialize in stealing passwords and session cookies. If you inadvertently infect your system with an infostealer, that session cookie is vacuumed up and sent to the attacker, who can insert that into their browser and access the application as you.

This type of attack impacts all MFA types, so not even FIDO2 MFA can stop this one.

Knowledge Deep Dive
The Best MFA Out There

What’s a person to do with all these MFA bypass attacks? You’ll notice that FIDO2 authentication only appeared in that list once. And for good reason! It’s the strongest form of MFA available today. So you should use it!

Using FIDO2 MFA is becoming more accessible today with the adoption of passkeys. You can learn more about passkeys in this video I created.

If you want to set up passkeys on your Google account, I explain how in this video.

Security News
What Else is Happening?

We’ll be back to our regularly scheduled programming on October 19th.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week, nerd!

Reply

or to participate.