Multi-factor authentication (MFA) is among the most useful measures companies can use against the rise in credential attacks, but attackers are adapting, as demonstrated in a variety of bypasses that allowed them to infiltrate networks — even those protected by MFA.

In an analysis of recent attacks, identity and access management firm CyberArk found at least four ways that attackers, including its own red teams, could circumvent MFA or at least greatly diminish its benefits. Attackers behind the SolarWinds Orion compromise, in a recent example, stole the private keys for single sign-on (SSO) infrastructure at many companies and then used those keys to bypass MFA checks.

Companies must model these threats and ensure their MFA infrastructure does not have the same weaknesses, says Shay Nahari, vice president of red team services at CyberArk.

"Over the last year, we have seen a spike in companies who have MFA as part of their security control — which is always good — but we have also seen some MFA-based attacks during post-breach activities on our clients," he says. "They used it both for the initial access, and we saw attackers who got access in some other way, and then pivot to gain more sensitive access."

Both businesses and consumers worried about the increase in account compromise have adopted MFA. In 2019, a bi-annual report tracking the adoption of two-factor authentication found 53% of respondents used it to secure important accounts, up from 28% in 2017. Another study, funded by Microsoft, found 85% of executives expected to have MFA implemented by the end of 2020. 

The benefits are clear: Microsoft maintains that accounts with MFA are 99.9% less likely to be compromised. 

"The point is — your password, in the case of breach, just doesn't matter — unless it's longer than 12 characters and has never been used before — which means it was generated by a password manager," Alex Weinert, director of security at Microsoft, wrote in an analysis of MFA in 2019. "That works for some, but is prohibitive for others ... Or you could just enable MFA."

With the increasing adoption of MFA, especially to help secure remote workers during the pandemic, attackers are hunting for ways around the technology. Sometimes, they find it. 

Companies that use MFA in conjunction with SSO portals may have architectural design flaws. In one case, once the user was authenticated at the infrastructure level, they were not verified using MFA when accessing critical assets, the CyberArk analysis stated. This weakness could allow a single low-level machine or worker to be compromised and then trusted throughout the network. An attacker who compromised a machine and had credentials for higher-privileged users could access more sensitive assets.

"The MFA was not architected correctly," says Nahari. "The weakness is that it was not based on identity. There was no zero trust."

Another company created a weakness when onboarding new users. They sent an email with a link that users had to open on their phone so the corporate MFA system could pair with their software token application. Unfortunately, the link containing the cryptographic seed used to generate the token was only protected with a four digit PIN, which the red team quickly brute forced. Any attacker with access to a user's email could replicate an employee's MFA token, Nahari says.

"The onboarding was done in an insecure manner," he says. "The idea that you are crossing channels is a fundamental no-no. You need to decouple the channels, so the distribution of the seed should have been done on a different channel."

Other companies required MFA for remote desktop access to a server, but not for other ports or applications on that server, opening the machine up to credential compromises on other channels. This could give an attacker access to the entire machine.

Organizations should audit their MFA infrastructure to identify the ways it could potentially be bypassed. In addition, they should design threat models to understand the ways attackers might try to circumvent their access security, Nahari says.

"MFA should not be the only thing, it should be part of a bigger approach," he says. "Every attack we've shown is not attacking the MFA, but finding ways to circumvent the way it was implemented."