Multi-factor Authentication (MFA) and How to Thwart Bypass Attacks

Multi-Factor Authentication (MFA) significantly strengthens security for businesses and individuals by adding extra layers of verification before granting access to accounts or devices. Instead of relying on just one factor like a password, MFA requires two or more factors. This makes it much harder for attackers to gain unauthorized access. Research suggests that implementing MFA can prevent 99.9% of account attacks.

MFA factors that may be used:

Something you know: Such as a password or PIN.
Something you have: Like a smart card, certificate, security token, or mobile device.
Something you are: Biometric data such as fingerprints, facial recognition, or retina scans.
Somewhere you are: Verification based on the user’s location or IP address.
Something you do: Behavioral factors like typing patterns or mouse movements.

CMMC Practices related to Multi Factor Authentication (MFA) and Preventing MFA Bypass

NIST SP 800-171 requires multifactor authentication for both local and network access to privileged accounts and for network access to non-privileged accounts. This approach significantly raises the bar for individuals trying to gain access to these accounts.

Implementing Replay Resistant Authentication Mechanisms

To enhance network security further there is a requirement for the use of authentication mechanisms that can resist replay attacks. These mechanisms make it incredibly challenging for attackers to gain access by intercepting and replaying authentication requests. Examples of mechanisms include protocols utilizing challenges, like timed response one-time authenticators.

Password Security Measures

Recognizing the significance of safeguarding passwords from cyber threats, NIST SP 800 171 incorporates password related guidelines such as:

Password Complexity and Changes
- NIST SP 800 171 requires companies to ensure passwords are strong and change regularly. This makes it harder for unauthorized people to guess or crack them.
No Password Recycling
- Companies must prevent password reuse. This stops hackers from using old, compromised passwords. Users shouldn’t recycle their passwords within a certain period, making it harder for attackers to gain access.
Encrypting Passwords
- Passwords should always be encrypted when stored or transmitted. This prevents unauthorized access and ensures passwords are safe during transmission and storage.

Restricting Failed Login Attempts

Limit unsuccessful login to thwart brute force attacks. Establish a method for restricting these attempts. This may involve lockouts after a specified number of tries with the lockout duration determined by the organization.

Least Privilege

The Principle of Least Privilege underscores the importance of implementing access privileges for both security functions and privileged account levels. Organizations should restrict user and process access rights to the resources and functions for their authorized tasks. By minimizing access privileges, the potential harm from compromised credentials is significantly reduced.

Preventing Execution of Privileged Functions

The unauthorized execution of functions whether intentional or unintentional poses a significant security risk. To tackle this issue organizations must put in place measures to prevent unauthorized users from carrying out these sensitive functions. Log privileged activity in audit records to facilitate the detection and response to any suspicious activities. This provides a layer of security and traceability even if MFA is circumvented.

Common MFA Bypass Techniques

As with all things, attackers have developed methods to bypass these security measures. Here are some common MFA bypass techniques:

Prompt Bombing (MFA Fatigue)

Attackers attempt repeated logins to a targeted user’s account after stealing their username and password. This bombards the user with login verification requests, often through push notifications or SMS messages. The goal is to frustrate or overwhelm the user into accidentally or intentionally approving the login request, granting the attacker access. For example, attackers breached Uber’s internal systems by overwhelming an employee with MFA push notifications and then contacting them through WhatsApp, posing as IT support . Prompt bombing is a form of social engineering that preys on human behavior and bypasses the technical aspects of MFA. While MFA adds an extra layer of security, it often relies on user interaction, which can be manipulated by attackers. This highlights a key weakness of MFA: its dependence on user awareness and vigilance.

Token Theft

Cybercriminals employ this technique to steal session cookies, which websites use to track user login sessions. By obtaining these cookies, attackers can insert themselves into a user’s session, tricking the browser into believing they are the legitimate user.

Machine-in-the-Middle Attacks

This phishing attack involves a malicious proxy server that intercepts network traffic between the user’s computer and the intended web server. This enables the attacker to capture user data, including credentials and MFA session cookies, effectively bypassing MFA . Attackers can lure victims to this proxy server using a malicious link disguised as a legitimate one.

Legacy Authentication

This method works with older mail protocols such as IMAP4, POP3, and SMTP, as well as older Outlook and mobile clients that do not support MFA. If an attacker obtains credentials, they can use legacy authentication to sign into an M365 email account, even if the account has MFA enabled. Phishing campaigns or credentials purchased on the dark web can provide attackers with the necessary information to exploit legacy authentication and gain access.

SIM Swapping

Attackers use social engineering to convince mobile carriers to transfer a victim’s phone number to a new SIM card, enabling them to intercept SMS-based MFA codes.

Reverse Proxy Tools

Tools like Evilginx2 and Modlishka intercept MFA tokens in real-time by acting as a man-in-the-middle during the authentication process . Attackers set up these kits, which are readily available and easy to find, on a compromised web server or direct victims to a mirrored website. When the user enters their login credentials on the fake website, the attacker intercepts this information before sending the user to the legitimate site.

Wireless Guest Network Abuse

Attackers connect to a company’s wireless guest network, which may have the same IP address range as the corporate network. This allows them to exploit configurations where MFA is bypassed for trusted IP addresses, such as those within corporate offices. As a result, attackers can gain unauthorized access to M365 accounts without needing to overcome MFA, even if it’s enabled for external connections.

Exploiting Third-Party MFA Application Providers

AIn cases where organizations use third-party MFA solutions integrated with Azure Active Directory, attackers target vulnerabilities within these external systems. For example, if an attacker compromises an administrator account with access to the Azure portal, they might be able to disable MFA for other user accounts or modify Conditional Access Policies to bypass MFA requirements. This enables them to target additional accounts within the organization, escalating their privileges and increasing the potential impact of the attack.

Strengthening MFA Implementation

To enhance security measures and mitigate the risk of MFA bypass attacks, organizations can implement the following strategies:

Set Push Notification Limits: Placing limits on the number of allowed MFA push notifications can reduce the effectiveness of fatigue attacks. Some experts even advise completely disabling MFA push requests. This forces users to manually open their authenticator apps, adding another layer of security.
Enable Number Matching: This feature displays a code on the user’s browser that they must then enter into their mobile device to authenticate. This makes it more difficult for attackers to compromise accounts, even if they possess stolen user credentials .

Number Matching Explained

Number matching is a security feature designed to prevent unauthorized access to accounts, even if the user’s credentials have been compromised.

This feature is offered by several MFA providers, including Duo (Verified Push), Okta, and Microsoft.

lots of numbers — _{Photo by Black ice on Pexels.com}

Here’s how it works:

Users are presented with a code on their web browser when logging in.

02. The user must then manually input this code into their mobile authenticator app to complete the authentication process.

This method is effective because it makes it much harder for malicious actors to gain access. Even if an attacker manages to steal a user’s credentials, they would still need to contact the user and convince them to share the code. This direct interaction should ideally raise red flags for the user and prevent the attack from succeeding.

Additional Security Controls to Enhance MFA and Limit Attacker Success

These measures can enhance the overall effectiveness of MFA and provide a layered security approach that makes it more difficult for attackers to succeed even if they manage to bypass the initial MFA challenge.

Enforce Secure Password Reset Procedures: Ensure a smooth and secure password reset process is in place to allow users to easily change their passwords, especially in remote work environments.

Restrict Remote Access Privileges: Minimize the number of users with remote access privileges, applying the principle of least privilege. Administrative and service accounts should have limited remote access to minimize potential attack vectors.

Implement Awareness Training: Educating users about security hygiene and the risks of compromised accounts can significantly reduce the likelihood of falling victim to MFA bypass attempts.

Consider FIDO Hardware Security Keys: Employing hardware tokens, such as Yubico’s YubiKey, can significantly bolster MFA security. This method relies on public key cryptography and WebAuthn, replacing password logins with a more secure alternative. Additionally, storing session tokens locally on devices instead of web browsers mitigates the risk of token theft .

Regularly Audit and Monitor Access Logs and Activities: Continuously monitor Azure sign-in logs for any login attempts that seem inconsistent with authorized user activity, such as impossible travel alerts. Regularly review audit logs for suspicious logins, forwarding rule modifications, and add permission operations to identify and remediate potential security breaches. Regularly audit and review devices registered to the MFA service to detect any unauthorized additions that could be used to intercept MFA prompts . Organizations shouldn’t assume a successful MFA

approval means the user is who they expect. For example, threat actors may target individuals for phishing attacks or obtain their compromised credentials from the dark web if they are exempt from MFA requirements. Some common reasons for these exceptions include an individual’s seniority, trusted vendor status, operational limitations, or privacy-related issues.

Secure Wireless Guest Networks: Organizations should implement strong security measures for wireless guest networks, such as segregating them from the corporate network and avoiding overlapping IP address ranges. Consider enforcing MFA for all connections, regardless of the perceived trust level of the network.

Regularly Audit MFA Configurations: Regularly audit MFA configurations, including third-party applications, to ensure policies are applied consistently and securely. Verify that MFA is enforced for all critical accounts and applications. Monitor Azure Active Directory logs for any suspicious activity, such as unusual login attempts or changes to Conditional Access Policies.

Implement Strong Password Policies: While MFA bypass tactics often focus on circumventing the

second authentication factor, a strong password remains a crucial first line of defense. Implement robust password policies that enforce strong, unique passwords and block known compromised passwords.

Adopt Risk-based Authentication: Analyzing login requests for anomalies, such as unusual login locations or times, can help detect and prevent unauthorized access attempts.

Enable Impossible Travel Alerts: Regularly reviewing logs for logins from geographically improbable locations, can signal potential MFA bypass attempts.

Disable Legacy Authentication: Disabling legacy authentication protocols and enforcing modern authentication methods is crucial for preventing attackers from exploiting outdated systems. Organizations should prioritize migrating to protocols that support MFA and ensure that all email clients and applications are up to date.

Utilize Risk-Based Authentication: Employ risk-based authentication mechanisms that analyze login request signals for anomalies. Use factors such as geographic location, time of day, and the frequency of login attempts from various locations to identify and flag potentially malicious activity .

Adopt a “Fail Closed” Configuration for MFA Services

Configure MFA services with a “fail closed” setting. This prevents all access if the MFA service is interrupted or unavailable, rather than a “fail open” configuration that allows open access without MFA. While “fail closed” may cause temporary disruptions, it significantly reduces the risk of unauthorized access during service outages .

Danger of “Fail Open” MFA Configuration

If MFA services are configured to fail “open” when there’s a problem with the service, like a DDoS attack or connectivity issues, access is granted without MFA authentication.

The danger here is significant: It creates a gap for attackers to exploit. While it might seem inconvenient for users to lose access temporarily due to a “fail closed” setting, the alternative is far riskier. A “fail open” configuration could allow an attacker to slip through during an MFA service disruption, potentially causing substantial damage to an organization’s operations, assets, and reputation.

crop ethnic hacker with smartphone typing on laptop in dark room — _{Photo by Sora Shimazaki on Pexels.com}

Other MFA Methods and Their Security

Time-Based One-Time Passwords (TOTP): TOTP generates a one-time password that is only valid for a short period. This method is more secure than push notifications as it requires the user to enter a code manually, which is less susceptible to phishing and prompt bombing attacks.
Biometric Authentication: Using biometric data like fingerprints, facial recognition, or retina scans adds a robust layer of security. These methods are difficult to replicate or steal, making them highly secure.
Location-Based Authentication: Verifying the user’s location through GPS or IP address can help ensure that the login attempt is legitimate.
Behavioral Biometrics: Analyzing user behavior such as typing patterns or mouse movements can help detect anomalies that indicate unauthorized access attempts. This method is gaining traction due to its ability to continuously monitor user behavior during a session.

Recent MFA Bypass Attacks

CERT-UA Incident: In a notable incident, the Computer Emergency Response Team of Ukraine (CERT-UA) reported that a nation-state actor attempted to intercept one-time SMS codes used for MFA. It is suspected that the attackers may have used physical systems to capture the codes or block cellular network access from the target device.

Uber Breach: Uber faced a significant MFA fatigue attack where the threat actor impersonated members of Uber’s IT department. They repeatedly requested login approval from Uber employees, wearing them down until they eventually approved the request. This granted the attacker unauthorized access to Uber’s internal systems.

Reddit Phishing Attack: In early 2023, Reddit experienced a sophisticated phishing attack where threat actors stole employee usernames, passwords, and two-factor authentication tokens. The attackers sent employees convincing prompts, directing them to a cloned version of Reddit’s intranet gateway, effectively capturing their credentials.

Electronic Arts (EA) Breach: The ransomware group Lapsus$ used a token theft attack against Electronic Arts. They purchased a stolen session cookie from an EA employee on the Genesis Marketplace, which allowed them access to EA’s Slack instance. Ultimately, they stole 80 GB of data, including source code, and used it for extortion.

Man-in-the-Middle Attacks: Companies like Twilio and Cloudflare were targeted by man-in-the-middle attacks. In these attacks, threat actors inserted themselves between the user and the legitimate login page. By directing victims through a malicious proxy server, attackers were able to capture credentials and two-factor authentication tokens.

Final Thoughts

The persistent threat of MFA bypass techniques underscores the critical need for organizations to continuously monitor their MFA implementations and overall security posture. By implementing the strategies outlined and remaining vigilant about evolving threats, organizations can significantly enhance their defenses against MFA bypass attacks.

It’s essential to recognize that while MFA significantly improves security, it is not a cure-all. Comprehensive security measures that address various attack vectors are vital for effectively mitigating the risk of MFA bypass attacks.

This involves adopting a multi-layered approach to security, combining technical safeguards with user education and awareness.

Security is ongoing. Attackers are constantly developing new techniques to circumvent security measures, making continuous improvement and adaptation imperative. Organizations should not rely on a single solution but should integrate multiple layers of security to stay ahead of attackers and protect their valuable assets and sensitive data.