How Hackers Bypass MFA and How to Prevent It: KnowBe4’s Roger Grimes

In today’s dynamic environment, basic password protection is no longer sufficient. Multi-factor authentication (MFA) solutions significantly mitigate the risk of hacking and brute-force password attacks, but is that entirely hack-proof? Fear of data breaches compelled organizations to adopt MFA solutions to protect sensitive data, but KnowBe4’s Roger GrimesOpens a new window warns the solution is not impenetrable and cautions about its vulnerabilities. In his session at  SpiceWorld Virtual 2021Opens a new window , Grimes shares strategies to overcome MFA challenges.   

The constant threat of cyberattacks has forced enterprises to switch to more dependable forms of security at various levels. At the application level, multi-factor authentication (MFA) has emerged as one of the most sought-after security measures compared to user-generated passwords. 

Even though MFA adds a layer of security, having MFA in place doesn’t completely rule out the possibility of unauthorized intrusions. According to KnowBe4, 48% of cybersecurity breaches are not preventable, even with a strong MFA.

According to Avast, MFAs are deployed with the knowledge factor (something the user knows) and the possession factor (something only the user has).

“All MFAs have trade offs. Stronger isn’t necessarily better. Many times hackers are not really hacking the MFA solution but a dependency in the MFA solution. If a particular bit of input or data coming into a MFA is malformed it helps attackers to take over the MFA solution. Vulnerabilities in MFA are often found in transitions,” warned Roger GrimesOpens a new window , award-winning author and data-driven defense evangelist at KnowBe4, a security awareness company. 

Addressing a session on hacking multi-factor authentication at the three-day SpiceWorld Virtual 2021 Opens a new window tech conference, Grimes stressed on the importance of being aware of the various ways in which MFA solutions can be hacked. He also shared tips on choosing the right MFA solution for enterprises. “What type of MFAs you choose you need to educate everyone for the common possible attacks for that type of MFAs,” he said.

Most security experts agree that MFAs are not entirely impenetrable. Seeing the rising interest in MFAs, attackers, too, have shifted their focus on targeting these solutions and are looking to exploit their weaknesses.  

“MFA is one of the most popular and widespread ways to make the account login process more secure. The more layers (factors) of authentication users have, the better. Today, there are a lot of advanced types of MFA like biometrics or security tokens. However, we’re also observing more cases of MFA breach as well as fraud techniques becoming more sophisticated,” said Dmitry Galov, a security expert at Kaspersky GReAT (Global Research and Analysis Team).

See more: SpiceWorld 2021: Steve Wozniak On Evolving Developer Roles, Data Transparency & More

How Are MFAs Compromised

During his session, Grimes listed nine techniques used by cybercriminals to hack MFAs:

• Social Engineering
• Eavesdropping or Man-in-the-middle attack (MiTM)
• Exploit programming bug
• Weak verification between components
• Alternate recovery/bypass
• Weak default configuration settings
• Data/network traffic malformation
• Third-party reliance issues, such as DNS, active directory
• Physical attacks

Grimes explained how some of these techniques are used by attackers to hack different MFAs. For instance, in SMS-based MFA, users get a code through SMS that they enter in their browser, making it easy to hack. “Letter of authorization can be bypassed and faked with SIM swap and used to intercept the SMS code. Similarly, fake SMS recovery methods can be used by attackers to take over accounts. IN general, SMS-based MFA is unreliable as anyone can fake to be anyone,” Grimes said. 

Christopher Budd, senior threat communications manager, Avast, feels that MFA as a concept is sound, but some MFA implementations have failed. Most notably, MFA systems use SMS or call-based authentication, which hackers can easily intercept.

“Wiretapping and SIM swapping attacks demonstrate that an attacker does not need to have access to the user’s phone in order to perform the authentication,” warns Budd. Attackers can send a message pretending to be a bank or an online account and request users to enter a verification code to log in to their accounts. 

Attackers are also using social engineering and phishing techniques to lead their targets to a lookalike site to log in to a service. Budd points out that attackers are relaying requests to verify the MFA one-time password to the victim during the login process. If the victim enters the MFA pin, the attacker gains access and returns an error to the victim. This way, the attacker has temporary access to the account. This attack is temporary because the attacker will need to get the MFA pin again if the session ends.

Grimes believes that app-based MFAs are comparatively more secure as they require users to log in to use them and are not dependent on phone numbers. However, they are still vulnerable to MiTM attacks. “Users can be sent an email and asked to login and they may do so thinking they are going to a legitimate website but they can be led onto a proxy website, which can allow the attacker to see everything and steal the session cookie and steal the session,” he adds.

Grimes is also not in favor of biometric-based MFAs like fingerprints and faces and points out that they are not secrets and can be stolen and mimicked easily. Once they are stolen, how can any system relying on biometrics tell if the person using it is genuine? He also called out some of the issues with Quick Response (QR) code-based MFA, adding, “if someone can get hold of the seed value of the QR codes if they don’t expire, they can make use of additional instances of google authorized authentication.”

See more: SpiceWorld Virtual 2021- 4 Key Highlights from Day 1  

Which MFAs Can Be Trusted

Budd believes that in comparison to SMS and call-based authentications, most other MFA solutions provide higher-level protection against identity theft and other online fraud. “Enterprises should be looking at MFA that uses software or hardware based tokens such as Yubikey for best protections,” he added.

Grimes also supported the idea of hardware-based tokens that ask users to pre-register a device to different websites, as that sort of thing prevents man-in-the-middle attack attacks. “I like multi-factor FIDO 2 (Fast Identity Online Standard) solutions as they are resistant to man in the middle attacks. I also like the fact that they use open standards like OATH and OATH OCRA, which are open authentication and authorization standards. I like any vendor that uses these open standards in their hardware tokens,” said Grimes. 

Grimes also weighed in favor of phone app-based MFAs, especially those that offer push notifications.  He also noted that TOTP (time-based one-time password) solutions are more reliable than event-based one-time password solutions. In TOTP, one has to use the password in the next 30 seconds, or they will change, unlike the latter, wherein some of the passwords don’t expire and can be used several months later.   

How To Choose The Right MFA Solution

According to Grimes, there is no best single solution for everyone, but there is the best methodology for choosing the right MFA solution. He put a lot of emphasis on the role of vendors and cautions not to use an MFA solution if the vendor doesn’t reveal what encryption and cryptography they are using. Also, the cryptographic algorithms they are using should be generally accepted. If any vendor says they’re making some secret and brand new cryptography that is not generally accepted and used by everybody else, it’s best to avoid them. 

“When I reviewed over 150 MFA vendors, around 10 of them are really used widely. Most of these vendors that have created MFA solutions have not really sold much of it. It is better to go with a vendor that has dozens to hundreds of customers out there. I know that sounds kind of unfair to a brand new vendor but that’s just the way it is,” he added. 

He also pointed out that good vendors prioritize bug fixes, conduct regular pen testing, run open bug bounties, encourage hackers to report bugs, use open standards, don’t claim to be unhackable, and share the threat modeling practices.

See more: Top 10 Multi-Factor Authentication Software Solutions for 2021 

Final Thoughts

According to Kaspersky’s Galov, MFA is no panacea to prevent account hijacks, but it’s a formidable barrier to anything that would try to compromise an account protected by it. Even though every MFA has some trade-offs and can be hacked, using them significantly reduces the risk of attacks. As per Grimes, solutions that use hardware-based tokens ask users to pre-register devices, and those that change passwords in a few seconds are more reliable than others. Likewise, vendors that are more open about their cryptography algorithm, use open standards and are prompt about their solution’s security are worth their salt. 

What do you think is the right approach to picking the most reliable multi-factor authentication solution? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!