Top 5 Techniques Attackers Use to Bypass MFA

Like other protective measures, multifactor authentication isn't failsafe or foolproof.

Organizations count on multifactor authentication (MFA) to prevent attacks. However, the belief that you're 100% protected because of MFA is just false. Even though there are statistics that highlight how MFA can reduce the risk of identity compromise by 99% over passwords, attackers still know how to bypass it. So, where do we look?

Fortunately, it isn't all doom and gloom. Even when MFA is bypassed, you still have the ability to see and stop attacks before they become breaches, which is more important than ever as cloud usage continues to accelerate. If you take a look at some of the recent data around account takeovers — almost three-quarters (71%) of respondents to a recent cloud survey suffered an average of seven account takeovers in the last 12 months — there has to be visibility into account activity.

But before we get into how all that works, let's review the top five techniques attackers are using to bypass MFA and two-factor authentication (2FA).

1. Disabling/Weakening Multifactor Authentication
This occurs when an attacker modifies a configuration to outright disable or weaken an organization's ability to enforce MFA policies, such as modifying trusted IP configurations. This allows the attacker(s) to connect from their home base without the need for the additional layer of authentication.

2. Directly Bypassing MFA
This is when an attacker uses techniques that allows persistent access without MFA. There are two ways this happens: Use of a malicious app that is downloaded by the user and authenticates while still controlled by the attacker, or they exploit an MFA weakness such as SMS interception of the 2FA code within the message.

3. Exploiting Authorized MFA Exceptions
This is more frequently seen within organizations that use public cloud environments. It occurs when an attacker identifies accounts operating without MFA requirements, such as service accounts, and attacks them directly. Alternatively, attackers take advantage of legacy apps which don't support MFA, such as a POP/SMTP mail server.

4. Stolen SAML Signing Certificate
This technique has been known for a while; however, it recently gained notoriety when it was used in the Solarflare campaign (aka: SolarWinds breach). It occurs when an attacker has stolen the private key to sign certificates or has a forged key (aka, a golden ticket), allowing an attacker to control every aspect of the SAMLResponse object (e.g., username, permission set, validity period, and more). This technique is incredibly difficult to detect given everything looks legitimate, yet it underscores the need for continuous monitoring and threat detection as users go beyond the perimeter.

5. Session Reuse
Attackers will compromise a system that already has an authenticated session, eliminating the need to reauthenticate. Most MFA tools have a default 30-day period until it requires the user, application, or system to reauthenticate, giving the attacker enough time to establish persistent access.

Beyond the Bypass
The agility and interconnectivity provided by public cloud has been a huge boon to the average worker, but the same is true for threat actors. Cloud environments are far more accessible than a traditional application sitting behind a perimeter. Attackers note it is simple to perform reconnaissance and determine customers and their likely naming conventions. From here, attackers can deploy highly automated attacks to thousands of accounts with attempted logins. An organization only needs a single user with poor password management for the attacker to find their way in and, as discussed, attackers have ways to circumvent MFA.

MFA is a great prevention tool that can slow or stop many attacks, yet like any other preventative security technology it can — and will be bypassed. While good security hygiene practices like MFA should continue to be utilized, organizations must change their mindset from stopping breaches to limiting the damage that breaches can cause after they occur. There are simply too many entry points into an organization to keep committed and organized attackers out.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5