Contrary to many who think multifactor authentication (MFA) is an effective safeguard, MFA can be hacked in many ways.
To be clear, using MFA is usually a good thing. Almost any MFA solutions significantly reduce some kind of hacking risk.
For that alone, MFA should be used when strong authentication is needed, where it can be used. But there is a common, mistaken impression that using MFA means you are much less likely to be hacked and that simply is not true.
General MFA Hacking
Here are some hacking techniques that work against the vast majority of MFA solutions.
- Man-in-the-Middle Attacks
The vast majority of hacking techniques against MFA have to do with social engineering the end user. The easiest MFA bypass method is to trick the victim into connecting with a fake, man-in-the-middle (MitM), proxy website before they get connected to the legitimate website they intended to go to. It is not hard to trick a person into connecting to a malicious website with an email asking them to click on a button or to verify some sort of normal-sounding information.
When the victim connects to the fake website, everything the victim does is proxied to the real website and everything the real website wants to send to the victim goes through the MitM site as well. The proxy site knows all and sees all, including the user’s login credentials.
- Man-in-the-End-Point Attacks
If your computer or device is exploited by malware or a hacker, anything it and you can do, the hacker or malware can do as well. That includes piggybacking on legitimate logins, stealing session cookies, and instituting new transactions and permissions.
The most common form of these types of attacks is what is known as ‘bancos’ or banking trojans. They get onto your computer just like any other piece of malware and then when you go to a bank, stock trading site or some other location, they wait for you to successfully log in and then start a second, hidden browser session and steal all your money.
- Faked Authentication
Here’s one of the hardest types of attacks to stop for 80% of MFA solutions. An attacker can trick a person into visiting a fake website that looks like a legitimate website where the user would normally use their MFA login. But instead, the website simply fakes the whole MFA routine, from asking the user to input their MFA login, to acting as if the MFA login was successfully accepted.
The website can then post additional, fake actions and requests, such as, “You must update your credit card information” and then prompt the user to re-enter their credit card details. It can be hard for an MFA provider to prevent a faked authentication event from occurring.
- Recovery Attacks
Almost every major MFA login method allows that login to be recovered using a method that is less secure than using MFA. Re-activating new MFA instances and/or logging in while the current MFA solution is not available is the number one request of any vendor using an MFA solution.
Because of this, almost every vendor that uses MFA allows users to temporarily bypass their MFA solution to get logged in or to request a new MFA solution.
- Buggy MFA
All MFA involves programming, and all programming has bugs, which means it can be exploited by someone who finds the vulnerability.
Almost every MFA solution we investigated had one or more vulnerabilities, which eventually became publicly known, that have been used to bypass the MFA solution. Even if your favourite MFA solution doesn’t have any known, published, bugs, it likely has them.
Specific Techniques Against Specific Types of MFA
Many different MFA attacks are specific to a particular type of MFA.
SMS-based text messages make the world go around, and SMS-based MFA is probably the most popular type of MFA solution used on the Internet. You go to some website, it sends you an SMS code that you then type back into that website, and it lets you in.
The problem is that SMS (and voice calling) have very poor authentication. They rely on an underlying protocol called SS7 which is weakly authenticated. It allows phone numbers to be spoofed and calls and messages to be eavesdropped on.
Another common attack against SMS-based MFA solutions is known as a SIM swap attack. Turns out that hackers can use various tricks to move your SIM and its information to their phone.
When this happens, your phone stops working, but before you notice no-one has called you for a while, a hacker could have put your MFA account into account recovery mode and have the reset PIN texted to your phone number or simply log in to a site of yours that uses SMS-based MFA.
In any case, the authentication information headed for your legitimate phone gets re-routed to their phone and they use that SMS-provided information to take over your account.
All-in-all, SMS-based MFA methods are considered among the easiest types of MFA to compromise.
One-Time-Password (OTP) tokens and phone apps (like Google Authenticator) send 4- to 6-digit codes which are updated regularly.
The OTP codes are generated using random information, which is stored in a database and on the MFA OTP device, for instance. If attackers can access the database where the OTP “seed” secret is stored, they can create additional, unauthorised instances of the OTP device or instance.
Smartcards are the original MFA device. These credit card-sized MFA tokens contain a cryptographically secure microchip, which protects the stored secrets. Except, if hackers can physically access your smartcard, they can steal your secret encryption keys.
There are likely hundreds to thousands of people who know how to compromise your smartcard if they can get physical access. This is not to say smartcards are bad. They are not.
They are a great MFA solution and have worked for decades to protect some of the top security networks. But just like all MFA solutions, they can be hacked.
Passwords Are Here to Stay
It seems every year since 1990, there are at least a few articles predicting the end of passwords. But most people will be using a combination of many passwords and multiple MFA solutions, for various logins, for at least the next ten years.
I do not see a passwordless society (too many sites and services only accept passwords) and none of the things that would replace them work on even 2% of the world’s websites and services.
Plus, the things that replace passwords can all be hacked. I think we will see fewer passwords over time, but it will be quite some time, if ever, before no one is using a password.
Advice for successful MFA
Whenever you use or administrate MFA, make sure that the involved users understand the common ways they can be hacked and educate them to recognise, avoid and report those types of attacks.
A little knowledge is a beautiful thing. You would not ask your end users to use passwords without a few hints on how they can be hacked and abused. You should do the same with your MFA solutions.
MFA can be a highly effective way to safeguard your organisation’s data, but that doesn’t mean it’s un-hackable.
Ronald Lee is Managing Director, Asia at KnowBe4