MFA Can Be Defeated, but Use It Anyway
- Post by Janet Gehring
- April 12, 2022
Multi-factor authentication (MFA) can be defeated, but you should always use it anyway. While no IT security tool is 100% fool-proof, MFA is still one of the best ways to help keep your online accounts secure. Here’s what to know about MFA, how hackers try to bypass it, and how to identify an MFA scam.
Using MFA, an attacker needs more than just a username and password to gain access to your accounts or devices.
When you turn on MFA for a service you change the security requirements. MFA forces you to provide at least two proofs of identity when accessing a secure service for the first time on an unknown device.
Those two forms of authentication can come from any combination of at least two of the following elements:
For the most part, the MFA systems today use the first item (your password) and the last item (your smartphone).
Authentication methods include receiving a code via text message, using an authenticator app on your phone, or even receiving a phone call where you press a key for authentication.
How the authenticator app works is interesting. The process is governed by a well-accepted standard that uses the Time-based One-Time Password algorithm (TOTP). That algorithm uses the authenticator app as a sophisticated calculator that generates codes using the current time on your device and the shared secret. The online service uses the same secret and its own timestamp to generate codes that it compares against your entry. Both sides of the connection can adjust for time zones without problem, although your codes will fail if the time on your device is wrong.
There are several ways attackers can bypass MFA, including hacking your phone and prompt bombing.
If you receive a code via text message, cybercriminals can access that code if they’ve hacked your phone using a sim-swap. In this scenario, a hacker could employ any number of methods to change victims’ phone numbers so that any subsequent messages or phone calls – for instance, one with an MFA code – would be redirected to the new phone. That’s one reason experts are increasingly urging a move away from SMS.
If you use an authentication app on your phone, be aware of prompt bombing. This often takes the form of receiving multiple notifications to confirm MFA with a touch of a button on your phone, but not always.
Methods of prompt bombing include:
There are even phishing toolkits that can be used in man-in-the-middle attacks to sneak past authentication protections. This is yet another reason to be extra careful with the emails and texts you open and the sites you visit.
Only confirm MFA if you’re initiating the sign-in. If you receive an MFA notification for an account you’re not trying to sign in to, immediately change your password for that account.
It’s estimated that implementing MFA can block 99% of automated attacks. Yes, using MFA adds an extra step and can be frustrating. Still, the minor inconvenience far outweighs the time and expense of recovering from a major loss.
Use MFA on every online account you can, including social media, password managers, financial services, Microsoft, Google, email, and even shopping and online commerce accounts where you’ve saved a credit card number.
If nothing else, the extra effort to try and defeat MFA may cause an attacker to choose someone else. That alone makes it worth it.
If you’d like to know more about how CRU Solutions can help keep your business safer, contact us.