Skip to content

New Threats to Multi-Factor Authentication

A password was once thought to be the only authentication mechanism one needed to protect data. After years and years of compromised credentials and the rise of credential stuffing attacks, multi-factor authentication (MFA) has become the standard for critical accounts. Many companies, such as Microsoft, Google, and Apple have begun enforcing multi-factor authentication, making it a requirement to access their services. It was once thought a password was all that was needed for authentication, now most see MFA as the only extra security needed to secure an account from cyber criminals.

Recently, it has been discovered that MFA is not immune to attempts to subvert the authentication process. The cyber criminals have applied old techniques such as phishing attacks, social engineering, and adversary-in-the-middle (AiTM) tactics to defeat MFA. Hacking tools known as phishing kits are increasingly focusing on features to bypass MFA. Attackers are using new methods such as MFA Phishing and MFA Fatigue to fool the target into approving or providing the second form of authentication.

MFA Phishing – Cyber criminals armed with compromised credentials will email or call victims with the intent of tricking them into providing the one-time pin needed to complete authentication. One social engineering techniques involves calling the victim about blocking illegal logins into their account. They then tell the victim to help protect the account they will receive an email or text with a one-time code. If they provide that code, then the account can be protected. Victims often fall for this social engineering because the criminal is using fear and urgency. No one wants to have an account accessed by criminals, so they are more willing to help if they think it with protect their account. They do not realize they have just assisted the attacker in accessing their account.

ThreatAdvice Breach Prevention Platform

MFA Fatigue – This is a technique that has gained a lot of traction with cyber criminal groups. Cyber criminals have recognized the trend that many people use their smart phone for MFA. The target is inundated by notifications to approve a login. It is easy just to tap approve on the screen when you are trying to log into an account. The criminals hope the victim will make a mistake and accidentally tap approve on their phone and not give it much thought as to why they received the prompt in the first place. That is why they tend to try this trick in the middle of the night. They hope that you are half asleep and do not realize you have approved the login.

According to a 2021 Digital Defense Report released by Microsoft, Cyber crime has become more sophisticated, widespread and relentless. Criminals continue to target critical infrastructure—healthcare, information technology, financial services, and energy sectors—with headline-grabbing attacks that cripple businesses and harm consumers. That is why everyone needs to keep cybersecurity at the forefront of their mind. Cyber hygiene is important to everyone as everyone has data that needs to be secured and protected.