We haven’t been shy about pushing for multi-factor authentication, AKA MFA, and there’s a reason for that: if implemented correctly, it can help prevent many cyberthreats. Having said that, cybercriminals have managed to find a way to undermine MFA. Let’s consider how they’ve managed to do this.
First, let’s examine why we’ve trusted MFA up to this point:
Phishing—or the act of manipulating the user, instead of the computer system, in order to gain access to data—has become a hugely common tactic, mainly because it works. Hackers are also still able to guess weak passwords and gain access. MFA adds an additional layer of security by requiring an additional proof of identity. Without this credential—typically something other than a password that’s harder to replicate—a hacker theoretically can’t get in.
Unfortunately, this is no longer always the case.
Microsoft has observed a few recent attacks that demonstrate that hackers can in fact bypass MFA protocols that businesses put in place. The term bypass is important. It isn’t that hackers have cracked MFA, they’ve just figured out how to get around it.
It’s like driving through a city to find that your normal route is under construction, so traffic has slowed to a crawl. Sure, you could simply wait it out and hope to get through in a reasonable amount of time, or you could find another route.
Most hackers use something called an adversary-in-the-middle attack. The hacker sets up a proxy server between their target and the service they want the credentials for. By phishing their target, the hacker is able to steal both their password and the session cookie. This way, the user accesses their account as normal, with no knowledge that it's been undermined, while the hacker gets what they want.
MFA can be worked around in other ways, as well. MFA systems that rely on text messages or emails with single-use codes have little defense against a user being convinced to provide these codes as they are generated. Trojans can be used to spy on users, while other means can take over the devices used to actually authenticate the involved systems. Like many other forms of cybersecurity, it really comes down to how vigilant the user is.
In our humble (expert, but still humble) opinion, the best cybersecurity strategy is one that relies on both the right technical security system and the capabilities of the people using it, working in tandem to better secure the protected assets. This is why we still recommend, even encourage, businesses to implement MFA despite these security hiccups. Our one caveat is that these businesses also need to educate their teams as to their importance.
We can help you do both, implementing enterprise-grade security while also providing comprehensive cybersecurity training and testing to ensure your business is as prepared as possible. Reach out to us today to learn more about how we can assist your business by calling 734-927-6666 / 800-438-9337.