Multi-factor authentication (MFA) is not a panacea against cyber threats. Despite long being the darling of cyber insurance providers, threat actors have learned how to skirt its protections. Businesses can take steps to implement MFA securely and layer it with other controls to reduce the risk of bypass attacks to make it a valuable part of their security stack. 

MFA became a popular security control for security practitioners following the surge in cybercrime during the global pandemic. In the same way insurance companies drove the adoption of seat belts to reduce the severity of automobile accidents, cyber insurers drove MFA adoption as businesses adapted to support remote connections and stop unauthorized access.

Widespread adoption of MFA has undoubtedly improved cyber hygiene and prevented many credential stuffing and brute force attacks from succeeding. However, the cyber threat landscape continues to evolve, and threat actors change their tactics, techniques, and procedures (TTPs) to bypass many forms of MFA. 

Companies should continue to adapt in the same way threat actors do — by understanding which types of MFA are effective, which are risky, and how to best implement MFA.  

Weak MFA implementation can easily be bypassed

MFA validates a user’s identity using multiple additional attributes: something you know, something you have, or something you are. Often, the "something you have" is a code provided via a third-party authentication app, SMS message, or signal from a hardware token. With MFA, even if a threat actor has a username and password (something you know), they still have to bypass one or more additional MFA steps.

However, threat actors attempt to bypass MFA using various low-tech solutions to gain access to corporate networks. Not all MFA implementations are created equal, and some methods are easier to defeat.

SIM-swapping attacks to defeat SMS MFA

Recently, the U.S. Securities and Exchange Commission (SEC) account on X (formerly Twitter) was hacked through a SIM-swapping attack. SIM swapping occurs when threat actors transfer a phone number to a device they control. The SEC did not have MFA enabled on its account during the attack due to "issues accessing the account" after X made SMS-based MFA a paid feature. While I dislike X's decision to put a security control behind a paywall, SMS MFA is by far the weakest type of MFA available and, in my opinion, is an inappropriate security control for a business or government account to employ. X continues to provide free MFA support using an authenticator app or security key, and these are both far superior MFA options.

SIM-swapping attacks rely most often on social engineering support personnel at telecommunications carriers. Threat actors contact support, impersonate their victim, and pretend to have lost or damaged the SIM card for their phone. They can "validate their identity" using details purchased from data brokers or gathered from public data breaches. Alternatively, threat actors may phish their victims with SMS messages and gain access to the victim's credentials or device.

When push notifications turn into fatigue

The SEC is not the only organization to fall prey to MFA bypass attacks. In late 2022, Uber suffered a high-profile cyber incident due to "MFA fatigue" attacks, in which threat actors overwhelm users with requests to authenticate their login attempts. 

MFA push notifications can reduce friction for users by allowing them to receive a prompt on their mobile device that confirms or denies the access attempt. They don't need to unlock their phone, open an app, worry about timeouts for the code, or type anything into a form. Unfortunately, while this reduces friction for users, it creates opportunities for compromise. If the threat actor has the user’s credentials, they can bombard the user with authentication requests until the beleaguered user makes a mistake and clicks approve instead of deny, or in a fit of frustration or confusion, gives up and validates the threat actor's request.

The takeaway? The type of MFA a business implements matters.

Advanced MFA implementation for defense-in-depth

Despite the risks associated with poorly-implemented MFA, when used properly, it has value for preventing unauthorized access and as a phishing mitigation.

Instead of relying on push notifications or SMS codes, businesses should rely on more secure MFA methods, such as codes generated by an authenticator app, or consider implementing a FIDO2 MFA program. A biometric response such as a fingerprint reader on a phone or laptop or a FIDO2 security key can save steps and prevent employees from accidentally giving away the keys to the kingdom. These devices remove the option for fatigued users to "give up" and validate requests by tying MFA authentication directly to the device. While adopting FIDO2 may take longer, its credentials are unique across every website, never leave the user's device, and are never stored on a server. This eliminates many of the pitfalls currently being used to bypass weaker MFA.

MFA can also be layered with security controls such as zero trust network access (ZTNA). ZTNA is part of the zero trust security model, which operates on the principle of "least privileged access" and only provides employees with the minimum level of access needed to perform their jobs. MFA is about authentication; confirming that a user is who they say they are. ZTNA is about authorization; a user is authenticated and, based on their identity, permitted to perform certain tasks and access certain data. Because authorization depends on authentication (we need to know who you are to determine what you're permitted to do), MFA is an important complement to ZTNA.

When combined with other security controls, MFA can be a strong component of a defense-in-depth security posture, where security controls layer together to create holistic protection. Under this model, even if threat actors gain credentials to access corporate networks, their attack may still be thwarted or at least weakened.

How businesses can avoid MFA bypass attacks

Regardless of how mature a business' security model is, persistent threat actors always pose a risk. The following steps are best practices for MFA implementation that help mitigate the risk of MFA bypass attacks. 

1. Do not use SMS-based MFA

2. Avoid allowing MFA push notifications if possible, or train users against MFA fatigue attacks if necessary

3. Consider implementing FIDO2 MFA for the highest level of MFA protection

4. Always validate requests to update or change authentication methods

5. For added protection, layer MFA with other security controls

Whether you are accounting for the human element or digital risks, exposure is inevitable in our digital economy. Unfortunately, few businesses have the resources to detect, prevent, and respond to every cyber threat.

Businesses looking to enhance their security posture can also sign up for around-the-clock monitoring with Coalition Managed Detection and Response (MDR) provided by CIR. MDR provides businesses with continuous monitoring without the cost associated with standing up a 24/7 security operations center (SOC).

Insurance products referenced herein are offered by Coalition Insurance Solutions, Inc. (“CIS”), a licensed insurance producer with its principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance companies. A list of our admitted carriers is available here. Complete license information for CIS is available here. Insurance products offered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication does not in any way alter, supplement, or amend the terms and conditions of the applicable insurance policy and is intended only as a brief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.