Multifactor authentication (MFA) is one of the most popular and effective cybersecurity measures in use today. However, as strong as these defenses are, they’re not perfect. Hackers can bypass MFA in several ways, so it’s important to recognize these weaknesses to protect against them. 5 Ways Hackers Bypass MFA Some security experts claim MFA can stop , but that may make users feel more secure than they really are. Even if that figure’s accurate, 10% leaves much room when considering cybercrime's sheer scale. Here are some ways cybercriminals can get past MFA. 80%-90% of cyberattacks 1. Phishing Unsurprisingly, phishing is one of the most popular ways to get around MFA. As the , phishing is a relatively easy and effective way to obtain sensitive information, including authenticators people use. most successful hacking technique Cybercriminals can trick users into giving away their verification emails and other credentials in the same way phishing gets them to reveal passwords. In other cases, hackers set up fake websites or proxy servers that look like legitimate login pages. Users unknowingly show cybercriminals all that information when they enter their details — including their MFA codes. 2. MFA Fatigue MFA fatigue is another common method. These attacks target MFA systems using push notifications. Criminals will try to log in several times in a short period, bombarding the user with messages asking them to verify the login attempt. Eventually, administrators will accidentally hit the authentication button or allow it out of frustration. People make mistakes and get frustrated easily, so if cybercriminals send enough requests in a short enough time frame, they’ll likely succeed. This combination of simplicity and effectiveness is why Microsoft saw more than in August 2022. 40,000 MFA fatigue attacks 3. SIM Jacking or Swapping Many MFA systems use SMS verification, and hackers can bypass MFA by accessing the user’s mobile device. There are two main methods for this: SIM jacking and SIM swapping. In SIM jacking, cybercriminals install spyware on a target’s phone, often delivering it through a malicious text message. They can then watch the user punch in their MFA details when they log into an account. SIM swapping involves contacting the target’s mobile providers to impersonate the user and get them to send them a new SIM card, which the hackers can use to get SMS verification messages. 4. Session Hijacking Session hijacking is a less common but still effective technique. In these attacks, cybercriminals intercept a user’s internet activity through a man-in-the-middle attack. Once they’ve taken advantage of an unsecured connection, they can steal the session cookies. Session cookies temporarily store activity — including any MFA credentials people enter — as long as the user is logged in. Once they close the browser, these cookies automatically erase themselves, but if hackers intercept them before the session ends, that doesn’t matter. The criminals will get all the information they need. 5. Brute Force Hackers can also brute force their way through some MFA systems. MFA makes most of these attacks less effective because even if a cybercriminal cracks a user’s password, they’d need another verification step to get in. However, they can also brute force the verification code. Some MFA systems send users a four-digit PIN to verify their identity. Today’s password-cracking tools can break a four-digit code instantly, even if it uses a combination of numbers and letters. Consequently, if an MFA system relies on one-time passwords (OTPs), especially short ones, it’s vulnerable to brute forcing. How to Protect Against These Threats Thankfully, there are ways to make MFA systems stronger. Once businesses know how hackers can bypass MFA solutions, they can take steps to protect against these attacks. Use the Right Kind of MFA One of the most important steps is to use a stronger verification method. SIM-based OTPs and push notifications are vulnerable to SIM jacking and MFA fatigue, so they’re not ideal. Biometrics, location-based verification and techniques that combine several factors are more secure. Hardware-based MFA is one of the most secure options. These use a combination of PINs and a physical device that plugs into a USB port, and users to verify their identity. It’s doubtful that a hacker could access both, so this strategy is ideal for sensitive applications. need both the PIN and card Use Time-Based OTPs It’s also a good idea to put time limits on OTPs. Some MFA systems only accept OTPs , and any attempts after that need a new code. Using time restrictions like this leaves hackers with a much smaller window to perform brute-force attacks or use information gained through phishing. within 30 to 90 seconds Remember that time-based OTPs still aren’t perfect. Hackers that are quick enough can work around them. However, they make it much harder, so it’s best to enable these restrictions if available. Restrict and Monitor Login Attempts Businesses can restrict MFA attempts in other ways, too. Some use location data to check if users are in a place they normally access their accounts, like their home or work. Anything outside of these regular locations triggers further verification steps. Users should also have a limited number of login attempts. Only letting people try two or three times before locking the account will prevent brute-force and MFA fatigue attacks. Organizations should monitor these attempts to find suspicious activity and send alerts if necessary. Train Against Social Engineering Anti-phishing training is another important step in preventing MFA bypasses. A whopping result from human error, so social engineering is one of the biggest threats to MFA. However, if employees can spot these attempts, they’re not as threatening. 82% of data breaches All workers should receive thorough and regular training on phishing techniques and how to spot them. The more aware insiders are, the less likely they will fall for these attacks. Multifactor Authentication Is Important but Incomplete MFA is a crucial security step, especially considering how common poor password management is. However, it’s not sufficient by itself. Hackers can still get around MFA, so businesses must consider improving their other access controls to minimize the chances of a breach. These steps will bolster MFA’s protection, ensuring only verified insiders can access sensitive information.

The is an opinion piece based on the author’s POV and does not necessarily reflect the views of HackerNoon.

Walkthroughs, tutorials, guides, and tips. This story will teach you how to do something new or how to do something better.

How Hackers Bypass Multifactor Authentication

Too Long; Didn't Read

Zac Amos

STORY’S CREDIBILITY

Opinion piece / Thought Leadership

Guide

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...