Multifactor Authentication (MFA) is a must for an organization’s cybersecurity portfolio, but for many this simply means Two-Factor Authentication (2FA). As cybercriminals continue to advance their means of attack, they have developed sophisticated ways to circumvent 2FA.

It is important to note that while our industry uses MFA and 2FA interchangeably, MFA is a general concept of multifactor authentication, that is, using more than one factor to authenticate a user. What most organizations have in place is 2FA — the minimal viable implementation of MFA, utilizing the existing username/password mechanism with an added second factor, such as an OTP (one time password), authentication app push approval, or SMS-based tokens (similar to OTPs).

The two most common techniques today for 2FA circumvention are Adversary in the Middle (AiTM) and MFA fatigue.

AiTM is a technique used by attackers for doing phishing attacks via a proxy. Rather than harvesting passwords and trying to use them later, the attackers proxy the attempted login of the user, including the second authentication factor (whether it is an OTP or MFA push), and create a new session for the attacker, in real time, that is then used for future access. With MFA sessions being valid for 14-30 days in most cases, this allows the attacker a substantial amount of time to use the hijacked account. We have seen this in multiple campaigns, including setting up a new MFA authenticator app to maintain persistency beyond the MFA session validity duration. It is important to note that while this may seem more complicated, there are now at least three popular phishing kits (and a custom one) that automate this process for the attackers.

MFA fatigue is a technique that can be used against MFA challenges via push notifications in your MFA authentication app. In this scenario, the attacker can first obtain the username/password using a traditional approach (phishing, theft of password database, and so on), before launching the MFA attack itself. The attacker then starts attempting to log in with the stolen credentials. Every time the attacker does so, the user gets a push notification on their app asking them to verify the authentication. For many users, this is seen as a glitch in the system, and they either approve it right away, or approve it at some point as they get tired of the notifications and pressing No every time.

What this means is that the efficacy of existing 2FA solutions is being nullified more and more each day. It is safe to assume that almost all phishing attacks will soon be powered by these new frameworks for circumventing 2FA, and we will be back to where we were a few years ago, with only a username and password inefficiently trying to stand between attackers and our data and systems.

The solution is to embrace MFA more broadly, moving to Three-factor Authentication (3FA) by adding an additional factor, but this time one that cannot be used by the attacker to authenticate from a foreign device. This can be done by tying the user authentication to a specific device or hardware token.

Microsoft 365 does offer this capability. There is, however, one caveat. Very few organizations have implemented these solutions to date, so they are still somewhat immature. We have been seeing organizations trying to implement those solutions, and they are encountering substantial overhead, user frustration, and lots of edge cases with no solution to date. As the industry increases the adoption of these 3FA solutions, providers like River Run are allocating the resources needed to perfect them, making them the default way to go and challenging attackers to come up with new techniques.

3FA with hardware and device-based verification is now the best solution for companies to protect themselves from these phishing attacks. As always, River Run is here to help you move from 2FA to 3FA.



Share this article