MFA Bypass Techniques: How Does it Work?

Identification and authentication are the first phases of verification in the login processes of Information Systems. Malicious threat actors use various methods, such as brute force to pass this phase unauthorized. Authentication solutions are named by the number of factors used in the process. Single-Factor Authentication (SFA) requires only one element (e.g., password) to authenticate the login. The name of the authentication process will turn into Two-Factor Authentication (2FA) if two factors (randomly generated code etc.) are required, then named Multi-Factor
Authentication if more than two elements are needed to verify. Security experts recommend using two or rather Multifactor Authentication (MFA) solutions in login processes.

Additionally, there are two authentication types which are in-band and out-of-band authentication. It is called in-band authentication if the identity check is made in the same system or communication channel. A login page requests a security code on the same page is an example of in-band authentication. When the authentication factor is sent over a different system or channel, such as approving the login from another application or entering a pin from a separate location is out-of-band authentication.

What is Multifactor Authentication?

Multifactor Authentication (MFA) is a security approach that uses multiple
verification methods to authenticate the user to access their profile, system, etc. MFA adds a new layer to the authentication process, strengthening security. Infrastructures and endpoint devices can be safer and more secure using protection methods such as MFA.

Why Do We Need MFA?

Verifying user identity using MFA became essential because threat actors have been using stolen or exploited user credentials, and another layer must deny connection by unauthenticated ones.

We understand that there is a need for another factor, but why do we need
“Multi-factor” Authentication? Single-factor Authentication (SFA) requires only one piece of evidence to authorize the user, primarily passwords. Brute force attacks or stealing credentials bypasses the SFA technology; we need another factor to add a layer to this security process.

Multifactor Authentication (MFA) is a technique that requires more than one piece of evidence to authorize the user. If two pieces of evidence are needed to verify, this approach is called Two-factor Authentication (2FA) or 2-step verification. It depends if asked how many factors we need to be more secure, but it is known that 2FA or MFA is more secure than SFA. The difference between 2FA and MFA is that 2FA requires only two factors; on the other hand, MFA can add more layers until the login attempts do not seem suspicious anymore.

What are the Types of MFA?

There are three main types of Authentication factors that work with MFA:
1. The first is Knowledge Factor (something you know), which is anything the user knows to verify its identity. This could be a password, credit card PIN, or One-time Password (OTPs).
2. Another one is the Possession factor (something you have) which means any tool the user uses to verify itself. It could be a security token such as a smart card, a USB flash drive, a wireless tag, or one of the mobile authentication methods such as a mobile app, text message, or an automatic phone call directly to the user.
3. The last MFA factor is called the Inherence Factor (something you are),
which only the user has to verify biologically. This could be a retina or an iris scan, fingerprint, user’s voice, or the user itself to recognize its face.

Although MFA is much more secure than other authentication solutions, it can be bypassed by various techniques. These techniques can be categorized into three main groups: Social engineering techniques, technical methods, and a mixture of both.

Social Engineering techniques are generally non-technical to MFA itself that exploit human error.

● Stealing the victim’s security/recovery questions’ answers with a fake website using phishing is a widespread technique to bypass the MFA.
● Attackers usually concoct a story (such as the victim losing their phone or
being in a hurry to get access) by acting like the victim itself and trying to
disable the MFA or gain access by contacting tech support of the firm.
Technical approaches to bypass MFA usually exploit MFA itself or steal credentials using various techniques to eliminate the victim’s MFA.
● Skimming is used in Automated Teller Machines (ATMs) when stealing
people’s credit card credentials by directly bypassing Factored Authentication.
● The victim could be using an already hacked device, or the attacker could get admin access. The attacker could do anything that the device’s user can
typically do. This technique is known as the Man-in-the-Endpoint Attack.

● Attackers also use the single sign-on technique, which uses the sharing
authentication systems. If a website that does not use MFA is connected with another website that requires MFA to log in, the attacker prefers the one without authentication service to gain access to another.

● Using authorization code flaws (also known as Response Manipulation or
Status Code Manipulation) to bypass is another common way to eliminate
MFA; if the response is like “Success: false,” turning it to “Success: true” may work to bypass or change the status code to 200 (OK) from 401, 402, 403, etc.
● Stealing a victim’s session cookie and bypassing the MFA with the stolen
cookie, also known as the pass-the-cookie attack, is increasingly used by
attackers nowadays.

● Some MFA applications use One-Time Passwords (OTPs). OTP displays a
randomly generated number from a predetermined “seed value,” and the
authentication system waits for the user to enter the code to verify the identity. The attacker can generate its OTP code to bypass the MFA if the attacker accesses this seed value. This process is known as duplicate code
generating.
● Another bypass technique is the SMS Swap scam (Simjacking). Usually,
people contact the provider to get their SIM information back when their phone is stolen or lost. Attackers currently use this idea as they know the victim's personal information well. They contact the providers using the gathered credentials of the victim and port a phone number to another device the victim does not own. In this way, the attackers can steal codes generated by SMS-based MFA.
● MFA Fatigue is one of the most recent techniques to bypass MFA and is
becoming a common technique among attackers. It seems like a brute force attack; the attacker sends many access notifications until the victim approves.

How Hackers Can Bypass Multi-Factor Authentication?

Multi-factor authentication (MFA) is an authentication protocol that asks users for additional factors in order to log in to their accounts. Such additional factors include:

Something you know: This might include a password, PIN number, or an answer to a security question.

Something you have: This could be a mobile phone, hardware token, fob, security key, etc.

Something you are: This includes biometric information such as fingerprints, facial recognition, retina scan, or voice recognition.

Users are required to provide at least two of these additional factors to verify their identity.

How can Cybercriminals Bypass Multi-Factor Authentication?

Hackers can bypass MFA in much the same way as they would for two-factor authentication, where there is just a username and password. Below are some of the most common ways that MFA can be bypassed:

Social Engineering:

Social engineering techniques, such as phishing, are standard for attackers to obtain credentials. For example, in some cases, they will try to log in to an organization’s cloud service provider, which sends an SMS message with the verification code to the account owner. The hacker will email the account owner asking them for the verification code. Of course, for this to work, the hacker must convince the user that they are a trusted entity.

In some cases, the hacker will email an unsuspecting employee to obtain basic personal information. Using this information, they might try to call the service provider and explain that they have been locked out of their account and want help getting back in.

Consent Phishing:

Another social engineering technique that is becoming popular is known as “consent phishing”. This is where hackers present what looks like a legitimate OAuth login page to the user. The hacker will request the level of access they need, and if access is granted, they can bypass MFA verification.

Brute Force:

One of the main benefits of multi-factor authentication is that it makes it a lot harder for hackers to brute-force-guess account passwords. Although it makes it more challenging, it doesn’t make it impossible. For example, hackers may look for the user’s photos on social media, which they can use to bypass MFA, which uses facial recognition as an additional factor. In some extreme cases, they may try to find the user’s fingerprints by dusting a smooth or non-porous surface with fingerprint powder and then photographing the prints using a high-resolution camera.

Exploiting Generated Tokens:

Many online services use authentication apps, such as Microsoft Authenticator and Google Authenticator, to generate temporary tokens which can be used as an authentication factor.

In some cases, these services will keep a list of authentication codes, which the service provider uses in case of an account lock-out. Hackers will try to obtain this list by exploiting poor data security practices to bypass MFA.

Session Hijacking:

Session hijacking is where an attacker steals session cookies, which contain a user’s authentication credentials. Session cookies are used by many web applications to provide a customized browsing experience and track the user’s activity. These session cookies remain active until the user logs out and are sometimes sent to the server over an insecure connection.

Hackers can easily find out if the session cookies are not secure, and are able to steal these cookies via a man-in-the-middle attack. Once they have access to a session cookie, they can bypass MFA.

SIM Hacking:

Cybercriminals are able to gain access to your mobile device using one of three methods: SIM-jacking, SIM swapping, and SIM cloning, which are explained in more detail below:

SIM-jacking: Hackers will send a piece of spyware-like code to a target device using an SMS message. If the user opens the message the hacker will be able to spy on the victim, thus potentially gaining access to their credentials.

SIM swapping: The hacker will contact your mobile service provider and ask for a replacement SIM card. Since it is not uncommon for users to request new SIM cards, perhaps because they are upgrading to a new device, the service provider may oblige and send them a new card. Once the hacker has the new SIM card, they can use it to gain access to your account, assuming the account uses SMS verification as one of the MFA factors.

SIM cloning: This is where the hacker gains access to your physical device, removes the SIM card, and using smart card copying software, copies the SIM data onto a blank card. The hacker will then insert the newly created SIM card into their phone, and receive phone calls and text messages to that SIM, including MFA authentication codes.

How to Strengthen Multifactor Authentication?

Given that the easiest way to bypass MFA is to convince users to hand over
credentials and/or personal data, it is crucially important that your employees are trained to identify social engineering attacks, such as phishing emails, suspicious phone calls, and SMS messages. Below are some more tips to strengthen MFA:

Choose your authentication methods wisely:

If you want to be extra secure, it’s probably a good idea to avoid SMS-based
authentication altogether, as SMS OTPs are easier to compromise than other methods. If you do want to use SMS verification, consider setting up a SIM card lock, which means that a PIN number is required to modify your SIM card. Try to use biometric authentication whenever possible. After all, a few hackers will bother to dust your door knobs with powder in order to get a copy of your fingerprint.

Use adaptive multi-factor authentication:

Consider using adaptive multi-factor authentication (AMFA), which is a more contextual approach to MFA. With AMFA, each request is validated by examining the user’s geolocation, IP reputation, device, and login behaviors.

Use complex passwords, restrict access, and monitor logon attempts:

Make sure that your users are using strong and unique passwords. Passwords should either be long alphanumeric strings with upper and lower case characters or a passphrase that is difficult to guess. It’s always a good idea to ensure that users are granted the least privileges they need to perform their roles. That way, if an adversary does manage to bypass MFA, there’s less damage they can cause.

Ensure that you can detect and respond to abnormal login attempts. Some
sophisticated real-time change auditing solutions can detect and respond to events that match a pre-defined threshold condition.
For example, Suppose x number of logon attempts occur within a given time frame.

In that case, a custom script can disable a user account, shut down the affected server, and do anything else to help contain the threat. These solutions can also work in cloud-based environments.