Since its arrival decades ago, multi-factor authentication (MFA) has promised to make our online lives more secure than simple login name and password authentication solutions. The sheer number of ways to compromise password authentication solutions is leading more organizations into using or considering MFA for at least some of their logins. In fact, almost 60 percent of organizations have already implemented MFA. However, MFA is far from perfect and it is being hacked every day and leaving organizations of all sizes vulnerable. Sadly, many security experts and end users have inadvertently equated using MFA into “I can’t be hacked” or “I’m far less likely to be hacked” and that simply isn’t true. In some cases, using MFA can actually make you easier to hack.
MFA is great for preventing broad phishing attacks for password credentials. Phishers oftentimes broadcast tens of millions of phishes asking for login credentials hoping that at least some small percentage of potential victims will be tricked into revealing their login names and passwords. And MFA substantially mitigates these types of attacks. You can’t be tricked out of a password when you don’t have one.
But once a hacker learns that a particular user or service uses or requires MFA, he/she can adjust his/her tactics even only slightly and compromise potential victims. For example, many people mistakenly believe that using MFA makes phishing attacks unable to be successful and it is not true. Here is a great demonstration example by infamous hacker Kevin Mitnick (https://www.youtube.com/watch?v=xaOX8DS-Cto) revealing how easy it is to phish someone using MFA on a real-live, popular website. I think anyone watching the video who has never seen it or one like it before, comes away a bit shell shocked.
The truth is that any MFA solution can be hacked and engineered around. I’ve reviewed over 130 different MFA solutions of every possible type, and every solution is hackable using at least three to six common methods, and most are hackable using over 10 methods. Nothing is unhackable and MFA is no exception.
So how can MFA be hacked? Broadly, the three basic methods are classified as one or more of these three methods:
- Social engineering
- Attacks against underlying technology
- Physical attacks
More specifically, the most common basic attacks against MFA are these, as summarized below:
Access control token theft
Nearly every successful login results in the authentication system assigning an “access control token” to the user’s identity account. The token is then passed to the access control system whenever the user wants to access a protected resource (e.g., file, folder, service, etc.) requiring authentication. For example, with Microsoft Windows, you get a Kerberos ticket or NT token. Most websites send text-based “cookies”. Attackers will often create man-in-the-middle attacks between the legitimate user and the server he/she is connecting to and steal the resulting access control token that is being sent to the user. Possession of the token is all the hacker needs to login as the user and impersonate him/her in subsequent actions.
If the user’s device or software is taken over by hackers or malware, the hacker can do anything the legitimate user can do, including wait for the user to successfully authenticate, MFA or not, and then open a second session and do whatever the legitimate user is allowed to do. This is the method used by bank-stealing trojans, which wait for people to login to their bank account and then transfer money to another nefarious account. Hundreds of millions to billions of dollars are stolen this way each year.
MFA solutions using Short Messaging Service (SMS) are notoriously easy to hack. So much so that the U.S. government has said (in NIST Special Publication 800-63) that no authentication solution should use them. Despite this, SMS-based MFA solutions are the most popular ones used by popular Internet websites. The problem is that SMS-based MFA solutions follow the user’s phone number and hackers can easily trick the cell phone company into transferring a victim’s phone number to his/her phone. The technique has been used to steal hundreds of millions of dollars over the last decade.
One-time password attacks
One-Time Password (OTP) solutions promise an ever changing four- to six-digit code that cannot be predicted by an unauthorized party. Turns out that if the attacker can get a hold of the OTP device’s “seed” value, that re-creating an additional rogue twin instance isn’t that hard. It’s also easy for attackers to ask unsuspecting end users to reveal the resulting code. Either way, the most popular OTP solutions (like Google Authenticator) have been hacked to death over the last few years.
Every popular public MFA solution allows end users to recover their accounts using a method that is less secure than the MFA protecting the account (e.g., sending recovery codes to an alternate email account, etc.). Hackers take advantage of the less secure account recovery scenarios to take over the account.
Millions of websites and services have application programming interfaces (APIs) which allow other sites and services to automate requests and interfacing. These APIs don’t allow MFA and are frequently used and abused by hackers to get around MFA logins.
Software vulnerability exploitation
All software has bugs and that includes MFA software and firmware. Hackers frequently take advantage of unpatched or unknown software vulnerabilities to get around MFA. Sadly, when reported to many MFA vendors, they are slow to recognize or fix the reported vulnerability. It’s like every lesson we learned in securing regular software has to be re-learned again in the MFA world.
There are dozens of other ways to hack or hack around various MFA solutions (I know of over 50 ways), but these are the most popular.
This is not to say that you and your co-workers should not use MFA. MFA is good and makes many hacking scenarios harder to pull off. Here are my primary MFA recommendations:
Use MFA where you can and where it makes sense to use it. Not all logins need the security of MFA. And even the most popular MFA solutions only cover perhaps 2 percent of all websites and services at best (so passwords will be with us for a lot longer). But for your most valuable and risky sites and services, use MFA when you can.
Use more secure forms of MFA, such as FIDO2, “push” app technologies, and phone apps. Avoid using MFA solutions that use SMS. Also, be aware that faking out most biometric MFA solutions isn’t nearly as hard as vendors make it seem. Somewhere there is a 17-year old kid making a YouTube video showing how he hacked around the latest and greatest biometric solutions.
Lastly and most importantly, there is a big difference between MFA making some hacking scenarios less likely and MFA being unhackable. Make sure your users don’t think that having an MFA solution, any MFA solution, means they are far less likely to be hacked. It doesn’t. All MFA admins and users should be familiar with the ways their MFA solution can be hacked or hacked around. They need to be aware of the various threats to their MFA solution, how to recognize them, and how to report any hacking attempts against them. You know…the same things you taught them before they got MFA.
MFA is good, but it isn’t unhackable.
Roger A. Grimes, defense evangelist, KnowBe4