Multi-factor authentication (MFA) is an effective way to enhance security by requiring multiple forms of authentication before granting access to a system or application. But MFA is not completely unsusceptible to attackers, with companies seeing more sophisticated attack techniques every day. Organizations must properly develop and execute strategies and deploy the right technologies to mitigate the risk of successful MFA attacks in the age of advanced threats. We spoke with Vittorio Bertocci, Principal Architect, Okta, to discuss the latest MFA threats and how organizations can fortify their defenses to keep critical data and access safe from sophisticated attacks.
What types of multi-factor authentication attacks have been recently reported in the industry, and how are they being carried out? Why are they dangerous?
The Uber attack where the attackers impersonated an Uber IT person to employees on WhatsApp to coerce them into accepting the MFA challenge showcases the main ways attacks are targeting MFA. Application builders understand that multi-factor authentication (MFA) is an effective way to defend against identity-based attacks. But not all MFA is created equal. Many organizations that have implemented MFA-based authentication have done so using low-assurance factors, such as security questions, SMS, Voice, and email-based One Time Passwords (OTPs), and still rely on passwords as the primary authenticator. Like in nature where predators have evolved to target the weakest link, attackers have evolved their tactics to target authentication factors that are perceived to be secure, but are not as secure as others.
When MFA is implemented using weaker factors, attackers can try to bypass MFA using techniques that either successfully ‘guess’ the authenticator code; intercept the second factor (such as in the case of SMS interception of the 2FA code within the message); or create ‘alert fatigue’ in an attempt to trick or coerce the user into completing the MFA challenge, even if they didn’t initiate the request. In the case of Twitter, one could argue that the suggestion to disable SMS-based MFA could improve security posture, because SMS is a weaker factor. But despite all of the criticism we like to throw at SMS authentication, it is demonstrably better than passwords alone. Even some tech savvy people who know and care a great deal about security find setting up authenticator apps awkward enough to put it off until they are forced into it, so this move will likely result in fewer accounts using 2FA. TL;DR: Not all MFA is created equal, but any MFA is better than none.
What are some of the most effective strategies that companies can use to prevent multi-factor authentication attacks, and how can they stay ahead of the evolving threat landscape? Transition away from weak authenticators and use phishing resistant factors for MFA. SMS, email, and voice OTPs, as well as security questions and push notifications, are only moderately secure authenticators. All are potentially vulnerable to phishing. FIDO authenticators are phishing resistant, leveraging public key cryptography to eliminate the use of shared codes or secrets. Since there are no codes to speak of, attackers cannot collect credentials that will be usable elsewhere In an ideal world, this would be an amazing passkey adoption opportunity, and one of the advantages is saving money on SMS costs. But that would have required a larger engineering lift on Twitter’s part. In general, making it easy for developers to implement the necessary changes in apps and websites is key to passkey adoption.
How can companies educate their employees and users about the risks of multi-factor authentication attacks, and what steps should individuals take to protect themselves against these threats? Since MFA bypass is often combined with some kind of social engineering, effective security awareness training is essential. To take another example, we observed an MFA bypass attack targeting 50 phone numbers with 100 SMS MFA codes each in Okta’s State of Secure Identity report. Consider how a user might behave in that situation: Would they recognize the onslaught of MFA requests as the signs of an attack, or would they think that the service was simply being ‘buggy’? Would they approve a request or perhaps change their configuration to turn off MFA?
To bring it back to Twitter, whenever you are adding friction for users, they’re likely to vote with their feet. Whenever you are asking people to change, you need to take concrete steps to make the transition easier. In this case, that would be explaining to users what they can do to change their second factor, to avoid them dropping 2FA entirely. ###