Multifactor authentication (MFA) is one of the most popular and effective cybersecurity measures in use today. However, as strong as these defenses are, they’re not perfect. Hackers can bypass MFA in several ways, so it’s important to recognize these weaknesses to protect against them.
5 Ways Hackers Bypass MFA
Some security experts claim MFA can stop
1. Phishing
Unsurprisingly, phishing is one of the most popular ways to get around MFA. As the
Cybercriminals can trick users into giving away their verification emails and other credentials in the same way phishing gets them to reveal passwords. In other cases, hackers set up fake websites or proxy servers that look like legitimate login pages. Users unknowingly show cybercriminals all that information when they enter their details — including their MFA codes.
2. MFA Fatigue
MFA fatigue is another common method. These attacks target MFA systems using push notifications. Criminals will try to log in several times in a short period, bombarding the user with messages asking them to verify the login attempt. Eventually, administrators will accidentally hit the authentication button or allow it out of frustration.
People make mistakes and get frustrated easily, so if cybercriminals send enough requests in a short enough time frame, they’ll likely succeed. This combination of simplicity and effectiveness is why Microsoft saw more than
3. SIM Jacking or Swapping
Many MFA systems use SMS verification, and hackers can bypass MFA by accessing the user’s mobile device. There are two main methods for this: SIM jacking and SIM swapping.
In SIM jacking, cybercriminals install spyware on a target’s phone, often delivering it through a malicious text message. They can then watch the user punch in their MFA details when they log into an account. SIM swapping involves contacting the target’s mobile providers to impersonate the user and get them to send them a new SIM card, which the hackers can use to get SMS verification messages.
4. Session Hijacking
Session hijacking is a less common but still effective technique. In these attacks, cybercriminals intercept a user’s internet activity through a man-in-the-middle attack. Once they’ve taken advantage of an unsecured connection, they can steal the session cookies.
Session cookies temporarily store activity — including any MFA credentials people enter — as long as the user is logged in. Once they close the browser, these cookies automatically erase themselves, but if hackers intercept them before the session ends, that doesn’t matter. The criminals will get all the information they need.
5. Brute Force
Hackers can also brute force their way through some MFA systems. MFA makes most of these attacks less effective because even if a cybercriminal cracks a user’s password, they’d need another verification step to get in. However, they can also brute force the verification code.
Some MFA systems send users a four-digit PIN to verify their identity. Today’s password-cracking tools can break a four-digit code instantly, even if it uses a combination of numbers and letters. Consequently, if an MFA system relies on one-time passwords (OTPs), especially short ones, it’s vulnerable to brute forcing.
How to Protect Against These Threats
Thankfully, there are ways to make MFA systems stronger. Once businesses know how hackers can bypass MFA solutions, they can take steps to protect against these attacks.
Use the Right Kind of MFA
One of the most important steps is to use a stronger verification method. SIM-based OTPs and push notifications are vulnerable to SIM jacking and MFA fatigue, so they’re not ideal. Biometrics, location-based verification and techniques that combine several factors are more secure.
Hardware-based MFA is one of the most secure options. These use a combination of PINs and a physical device that plugs into a USB port, and users
Use Time-Based OTPs
It’s also a good idea to put time limits on OTPs. Some MFA systems only accept OTPs
Remember that time-based OTPs still aren’t perfect. Hackers that are quick enough can work around them. However, they make it much harder, so it’s best to enable these restrictions if available.
Restrict and Monitor Login Attempts
Businesses can restrict MFA attempts in other ways, too. Some use location data to check if users are in a place they normally access their accounts, like their home or work. Anything outside of these regular locations triggers further verification steps.
Users should also have a limited number of login attempts. Only letting people try two or three times before locking the account will prevent brute-force and MFA fatigue attacks. Organizations should monitor these attempts to find suspicious activity and send alerts if necessary.
Train Against Social Engineering
Anti-phishing training is another important step in preventing MFA bypasses. A whopping
All workers should receive thorough and regular training on phishing techniques and how to spot them. The more aware insiders are, the less likely they will fall for these attacks.
Multifactor Authentication Is Important but Incomplete
MFA is a crucial security step, especially considering how common poor password management is. However, it’s not sufficient by itself.
Hackers can still get around MFA, so businesses must consider improving their other access controls to minimize the chances of a breach. These steps will bolster MFA’s protection, ensuring only verified insiders can access sensitive information.