Pub. 12 2022-2023 Issue 5

Multi-Failure Authentication: Finding and Fixing Gaps in MFA

Multifactor authentication, or MFA, is widely regarded by security professionals as one of the best tools you can use to keep your accounts safe.

Multifactor authentication, or MFA, is widely regarded by security professionals as one of the best tools you can use to keep your accounts safe. By now, you probably already know how it works and how it keeps you more secure than just a username and password alone. But is it good enough to stop all attacks? As with anything, it has its weaknesses. So let’s take a look at some of the attacks used against MFA and how you can keep them from succeeding. 

Double Compromise

Properly implemented, multifactor authentication is great, but a one-time passcode sent to your primary email address is one of the weakest methods. 

The scenario: In the event of email compromise, the attacker would simply use a “Forgot Password” link to reset the account in question, receiving the reset email to the compromised account. Then, after resetting the password, they would intercept the MFA code that was sent to the email address and would fully take over the account. This is not to mention the fact that these one-time codes are almost always sent unencrypted and could be intercepted by any email server the message passes through on its way to the recipient. 

The solution: If you have a choice between email and another delivery method for your MFA codes, something else is usually much more secure. 

Notification Fatigue

This is a new tactic that the bad guys are using to try and wear you down so you let them in. This only works for accounts that are protected with Duo or Microsoft Authenticator, any implementation that requires you to tap “Yes” or “Allow” to proceed. 

The scenario: An attacker has guessed, phished, or brute-forced a password. They try to sign in over, and over, and over again in the hopes that the user will get tired of the notification and just approve it, thinking it’s something necessary for the account to work. Maybe they even do this late at night while the target is trying to sleep. 

The solution: If your authenticator app starts going nuts, talk to IT and get your password reset for the affected account. This will block any further sign-in attempts and stop the push notification frenzy. Always report any authentication requests that you didn’t initiate. Also, use your smartphone’s scheduled do-not-disturb function to eliminate noncritical notifications while you sleep … or just keep your phone in another room.

Good Timing

The scenario: As with the last example, a password has been compromised and a push-based MFA solution is in place. The attacker learns the primary time zone of the company and tries to log in exactly at 8:00 local time (or whenever they learn work starts in the morning). The idea is to time the login attempt to when many employees will be starting their day, making it more likely that the push notification will get answered if it happens to coincide with a legitimate login attempt. 

The solution: Any push notification should give you some additional details about the login when you click it. Specifically, it should have the IP address and geolocation where the attempt originated. If your business is in the United States and the login is coming from China, that’s one you’ll want to say “No” to and report. Then, a password change will be in order. 

OTP Phishing

The One-Time Passcode (OTP) is usually a six-digit code that is sent to your phone or generated from an authenticator app that you use to verify your login. Generally, the codes rotate every thirty seconds to five minutes, and when they are used once, they become invalid. This attack relies on the attacker capturing that code from you and using it in real time before it expires. 

The scenario: After clicking on a well-crafted phishing email, a target is taken to a page that looks identical to a legitimate sign-in page. They enter their username and password and then are presented with a screen that asks for the OTP. At the same time, the attacker is retrieving the stolen credentials and trying to log in as the target on the service’s real login page. When the target receives the OTP, they enter it into the web form, which is also transmitted to the attacker, who then uses it to log in and register their own devices to also receive the OTP. 

The solution: Almost everyone clicks a phishing link at some point in their lives. Using a password manager is a great way to avoid accidentally entering credentials to be stolen since a good password manager will only autofill the password if the URL in the address bar matches the legitimate website. And a password you don’t know is a password you can’t unintentionally give out. 

SIM Swap

This one is a low likelihood, so I saved it for last, but it’s still worth mentioning as it’s a high-impact attack.
The scenario: An attacker obtains a good amount of information about a high-value target, including their username, password, and phone number. Using social engineering techniques, they contact the target’s mobile phone provider and ask to port the phone number to a new SIM card since they “lost their phone.” Security checks are bypassed and the target’s phone stops working as the criminals gain access to their phone number. They log in using the stolen credentials, intercept the text message with the OTP, and compromise the account. 

The solution: For critical accounts, use an authenticator app or FIDO token, not a text message code. Check with your cell phone provider and set an authorization code with them before they will allow your number to be ported to another SIM card. 

Chris is the Vice President of Information Security for CivITas Bank Solutions, which exists to help community banks with IT and Information Security needs. You can email for more information.