Multi-Factor Authentication (MFA) has emerged as a fundamental element in the protection of sensitive data. By necessitating various forms of verification, MFA greatly improves security compared to conventional password systems. Nevertheless, despite its apparent strength, MFA is not immune to attacks. Cybercriminals are increasingly employing sophisticated methods to circumvent these security measures, thereby endangering even the most secure systems. This blog will examine the strategies utilized to bypass MFA, the vulnerabilities that facilitate these attacks, and the actions organizations can undertake to strengthen their defenses against this escalating threat.
What is MFA and how does it work?
Multi-Factor authentication is a security mechanism that validates an individual’s identity through multiple authentication methods before allowing them to log in or complete a transaction. It combines or enhances independent credentials based on the user’s knowledge (password), possessions (protection token), and identity (biometric verification).
How MFA Works
User Login: The customer inputs their password and username.
Second Factor Request: The device sets the user up for a secondary authentication method. Using second-factor authentication, the user shows a second form, which could be a hardware token, a biometric test, or a code from a text message.
Verification: The second element is confirmed by the device.
Access Granted: The customer is given access if the second component is accurate.
Different Types of MFA
There are several varieties of MFA:
SMS-based MFA
SMS message-based Multi-Factor Authentication is a security technique that adds an additional layer of protection using text messages. Upon logging in, a user receives an entirely unique code via SMS, which they need to enter in addition to their regular password.
App-based MFA
Multi-Factor authentication that is based on apps enhances security by asking users to verify their identity using a mobile application in addition to their primary login credentials. Typically, this approach entails creating a time-sensitive code on an authentication software, like Google Authenticator, that the user must enter in order to gain access to their account.
App-based Multi-Factor authentication provides an additional layer of security that substantially lowers the risk of unwanted access, even in the event that the primary credentials are compromised. It’s a reasonable and practical way to improve cybersecurity in both personal and professional settings, protecting private data from hacker attacks and system failures.
Hardware Tokens
Hardware tokens are physical objects that enhance security by generating authentication codes or acting as constant keys to open doors and obtain resources. These tokens, which are frequently used in two-factor authentication (2FA) and Multi-Factor authentication (MFA) setups, ensure that access is allowed only when the appropriate physical tool is present, significantly reducing the possibility of unwanted access.
Hardware tokens come in a variety of shapes and sizes, including USB keys, devious playing cards, and dedicated key fobs. All of these items offer a robust security layer by encrypting cryptographic secrets that are difficult to copy or compromise. They are a well-liked option for protecting sensitive data and systems in both private and business settings due to their dependability and efficiency.
Biometrics
When utilized alongside Multi-Factor Authentication (MFA), biometrics significantly improves security by utilizing unique physical
characteristics such as fingerprints, facial recognition, or iris scans. Biometric authentication is more reliable by nature than traditional systems that rely on passwords or PINs since these characteristics are difficult to forge or steal.
By adding biometrics, Multi-Factor authentication (MFA) offers enhanced security against illegal access and acts as a strong deterrent against fraud and cyber risks. This additional security layer is especially valuable for protecting sensitive data and maintaining the integrity of online transactions and record access.
Common Methods Hackers Use to Bypass MFA
Since we cannot perform these attacks on any web application, we are using PortSwigger Web Academy labs. Please note that these
exercises are for educational purposes only.
Simple 2FA Bypass
In this type of bypass, the threat actor logs into their own account and receives an OTP for 2FA authentication, as shown in the image.
After successfully logging in, focus on the endpoint [/my-account].
The threat actor, having obtained the victim’s credentials from a data breach, can bypass the 2FA by switching to the endpoint [/my-account] after logging in. This occurs because the application does not enforce the endpoint properly, and that’s how the threat actor bypasses the MFA.
![Fig3: Access the Endpoint [/login2]](https://bolster.ai/wp-content/uploads/2024/08/2fa_5.png)
2FA Broken logic
In this scenario, the threat actor only knows the victim’s name. They exploit the /login2 endpoint, which uses a cookie named Verify[Username] for authentication. This indicates that the back-end verifies the username and issues a token based on it. The threat actor will remove their session token and attempt to replace it with the victim’s name, then send the request to see if they receive a 200 OK response from the server.
Additionally, the /login2 endpoint requires an MFA token via a POST request. If the threat actor removes the session cookie and sends a request using just the victim’s name, they will be redirected to the /my-account endpoint. To bypass MFA, the threat actor only needs to guess the 4-digit security code. To test for brute force protection, they can send multiple requests to see if the system blocks their attempts or shows any signs of rate limiting.
The threat actor then begins guessing the MFA codes and monitors for a redirection (302) to bypass the MFA protection.
2FA bypass using a Brute-force attack
In this scenario, after two incorrect attempts, the user is logged out due to MFA protection. When random credentials are used, the system responds with “Invalid username or password.” However, if the credentials for a user (Carlos) are used, the attacker is redirected to “/login2,” which prompts for Multi-Factor authentication.
Brute-forcing the code directly does not succeed here. If the MFA code is entered incorrectly twice, the session appears to be terminated, and the CSRF token is invalidated. Despite this, the application does not lock the account, allowing immediate retry. If the application correctly generates a new 2FA code for each login attempt, this would hinder brute-forcing. However, if a 2FA code remains valid until used, brute-forcing is feasible.
The login process involves multiple requests that need to be executed sequentially. Attention should be given to macros to combine these requests into a single macro.
Verify that the final response prompts for the MFA code when running the macro.
The attacker needs to manage sessions and ensure that the page falls within the scope defined by the session handling rule. The brute-force attack can then commence. Select the POST request with the MFA code from the history, send it to Burp Intruder, and use the MFA code as the payload. Ensure only one concurrent request is made at a time. Since each attempt involves four requests, the process is quite slow. Eventually, a response indicating a redirect [302] will be received.
To bypass MFA, the attacker simply needs to copy the SessionID from the response and inject it into their current session. This allows the attacker to bypass the MFA requirement using a brute-force attack.
Case Study
In March 2024, Apple users have reportedly been the victim of MFA bombing assaults, according to a recent Krebs on Security post. In these attacks, a large number of MFA requests are sent to the target quickly in the hopes that the user may finally authorize one out of confusion or annoyance.
A possible security vulnerability results from the attackers taking advantage of the weariness and irritation brought on by the barrage of notifications. This strategy emphasizes how crucial it is for users to be alert and resist giving in to pressure of this kind. It also emphasizes the necessity for stronger authentication procedures and user education in order to reduce these dangers.
Enhancing MFA Security
Best practices for strengthening MFA implementations:
1. Use Strong Authentication Factors: Implementing robust authentication factors is essential to improving the security and efficacy of Multi-Factor Authentication (MFA). These elements usually embody three categories: something you already know, something you’ve got, and something you are.
a. Something you realize includes expertise-primarily based credentials like passwords or PINs, which should be complicated, unique, and frequently updated to mitigate risks related to brute pressure assaults or credential stuffing.
b. Something you have got refers to bodily or digital tokens, which includes hardware tokens, smart playing cards, or stable cell authentication apps. These are preferred over SMS-based total strategies, which might be vulnerable to interception, SIM-swapping, and other types of attack.
c. Something you are consists of biometric verification techniques like fingerprint scans, facial reputation, or retinal scans.
2. Implement Adaptive Authentication: Implementing adaptive authentication significantly complements the security of Multi-Factor Authentication (MFA) by means of dynamically adjusting authentication requirements primarily based on contextual hazard assessments.
This technique leverages various contextual factors consisting of person conduct, geographic region, device kind, and community environment to assess the probability of a security danger in actual time. For instance, if a user tries to log in from an unusual location or a tool that hasn’t been used before, the device can also activate additional authentication steps to affirm the consumer’s identity.
Similarly, if unusual conduct is detected, such as having access to sensitive data at unusual hours or from peculiar places, the system can escalate the authentication technique. Adaptive authentication also integrates behavioral analysis, tracking user activities and styles to detect anomalies that might indicate a compromised account.
By incorporating those real-time checks, adaptive authentication affords a flexible, responsive layer of protection that adjusts to the threat degree, thereby improving protection without unnecessarily burdening the consumer through low-risk eventualities. This approach now not only improves safety but also enhances a person’s enjoyment with the aid of minimizing friction all through authentication.
3. Integrate with Other Security Measures: Integrating Multi-Factor Authentication (MFA) with other security measures is important for creating a comprehensive and sturdy protection framework. MFA should be a vital component of a broader safety approach that includes Single Sign-On (SSO), zero trust structure, and continuous tracking.
SSO lets in users to get admission to a couple of programs with an unmarried set of credentials, streamlining the login system whilst still leveraging MFA to make certain steady get right of entry. In a zero-believe structure, each access request is verified, no matter the user’s area, reinforcing the principle of “in no way trust, usually verify.” This method ensures that MFA is continually carried out throughout all access factors.
Additionally, integrating MFA with non-stop tracking gear allows for real-time detection and reaction to suspicious activities, presenting an additional layer of security. This integration guarantees that MFA is not a remote measure but part of a cohesive protection atmosphere that works collectively to guard against various threats, reduce vulnerabilities, and beautify universal security posture.
By embedding MFA right into a multi-layered protection strategy, companies can shield their assets and records, ensuring a more resilient defense in opposition to cyber threats.
Recommendations for users and organizations to protect themselves against MFA bypass techniques:
In order to protect against bypass methods for MFA (Multi-Factor Authentication), users and organizations ought to think about combining best practices, technical measures, and user education.
For Users:
To protect yourself against Multi-Factor Authentication (MFA) bypass techniques, it’s essential to use strong and unique passwords and remain vigilant against phishing attempts. Opting for hardware security keys over SMS or app-based MFA can significantly bolster your security.
Regularly updating your security software and monitoring your account activity for any suspicious behavior are crucial steps. If you detect any unusual activity, report it immediately to your service providers to quickly mitigate potential damage. Prioritizing these measures will enhance your overall security and help safeguard your accounts.
For Organizations:
On the other hand, businesses ought to use MFA techniques that are resistant to phishing, including those that adhere to FIDO2 or
WebAuthn standards. Important measures include implementing conditional access controls, doing frequent penetration tests and security audits, and training staff on how to spot and handle phishing attempts.
The resistance against MFA bypass approaches is further strengthened by implementing least privilege access rules, safeguarding all endpoints, and adopting a zero-trust security model. Unauthorized access attempts can be identified and stopped with the support of adaptive MFA that is based on contextual factors and regular log reviews of MFA.
Emerging technologies and methods to enhance MFA security
1. Biometric Authentication
By utilizing distinctive bodily traits like fingerprints, facial recognition, or retinal scans, biometric authentication improves Multi-Factor authentication security. Because these biometrics are hard for hackers to duplicate, it is much more difficult for unauthorized users to get around authentication. Biometric data’s complexity and uniqueness offer a strong security layer that makes sure only the legitimate owner may access the systems or data that are protected.
2. Artificial Intelligence and Machine Learning
By instantly identifying suspicious activity and possible threats, artificial intelligence (AI) and machine learning (ML) significantly improve Multi-Factor authentication (MFA) security. Large data sets are analyzed by these technologies to find trends and anomalies that could point to a security breach. AI and ML increase threat detection speed and accuracy by continuously learning and adapting to new threats, allowing for quicker and more efficient responses to security issues.
3. Advanced Cryptographic Techniques
Advanced cryptographic techniques offer safe and phishing-proof authentication mechanisms, such as FIDO2 and WebAuth standards. Public key cryptography is used by these standards to authenticate users without sending private data across the network. By reducing the possibility of interception and man-in-the-middle assaults, this method guarantees a more secure MFA procedure that is resistant to advanced cyber threats.
4. Blockchain Technology
MFA systems are made more secure by blockchain technology, which provides a decentralized and impenetrable identity verification solution. This technique makes sure that there isn’t a single point of failure or centralized weakness that may be exploited by distributing identification data throughout a blockchain network. Further fortifying the overall security posture, the immutability and transparency of blockchain make it a desirable alternative for transparent and safe authentication procedures.
Conclusion
Improving Multi-Factor authentication security is essential for both individuals and companies, as cyber threats keep changing. More reliable and resilient Multi-Factor authentication (MFA) systems are being made possible by emerging technologies like blockchain, artificial intelligence, biometric authentication, and behavioral biometrics.
By implementing these technologies, businesses can protect sensitive data from increasingly complex assaults and consumers can better protect their accounts from illegal access. Maintaining a safe digital environment will depend on applying best practices and staying up to date on these developments.
References:
Recent ‘MFA Bombing’ Attacks Targeting Apple Users
Multi-factor Authentication Bypass Examples via Response Tampering
Multi-Factor Authentication (MFA) Methods
All labs | Web Security Academy
