Multi-Factor Authentication (MFA) is the process of a user or device providing two or more different types of proofs of control associated with a specific digital identity, in order to gain access to the associated permissions, rights, privileges, and memberships. Two-Factor Authentication (2FA) implies that exactly two proofs are required for a successful authentication, and is a subset of MFA.
“Most companies that use MFA are still successfully hacked.” — Roger Grimes, 2018
Contrary to popular belief, all multi-factor authentication mechanisms can be compromised, and in some cases, it’s as simple as sending a traditional phishing email.
Decades of successful attacks against single-factor authentication methods, like login names and passwords, are driving a growing large-scale movement to more secure, multi-factor authentication (MFA) solutions in both corporate environments and by websites everywhere. This trend is exemplified by the fact that over the last few years, the most popular websites and services, including those owned by Google, Microsoft, Facebook, and Twitter, have offered MFA solutions to their customers. Many internet sites and services now offer both traditional login name/password solutions and more secure, MFA options.
Some large companies like Google are reporting great success in defending against some common hacking attacks by moving their user base from single-factor to multi-factor authentication. MFA solutions are supported by default in the most popular operating systems, and additional MFA solutions are offered by hundreds of third-party vendors. Common open MFA standards, such as those promoted by the FIDO Alliance, are being widely adopted.
MFA was previously used (mostly) for organizations and websites needing the highest security assurance. Today, MFA tokens are being offered or used by ordinary organizations and websites, and MFA tokens can be purchased as low as a few dollars per device. Many consumers trust the security of MFA solutions so much that they are purchasing and using MFA, when possible and allowed, on all the websites and services which allow it.
The broader adoption of MFA is a positive development for computer defenses and will defeat many of the threats that would otherwise be more readily successful against single-factor authentication solutions. All other things considered equal, all admins and users should consider and use MFA solutions instead of single-factor authentication solutions to protect sensitive data.
With that said, the ability of MFA to reduce computer security risk has been overstated by many vendors and proponents, leading to a misunderstanding that the application of MFA means all attacks that were successful against single-factor authentication cannot be successful against MFA. For example, many MFA admins and users believe that email phishing is no longer a threat because users cannot be phished out of their login credentials. This is not true.
While MFA does reduce, and in some cases, significantly reduce particular computer security risks, most of the attacks that could be successful against single-factor authentication can also be successful against MFA solutions. There are over a dozen ways to attack different MFA solutions. Often, a single MFA solution is susceptible to multiple exploitation methods.
Get your copy of the full 41-page eBook for everything you need to know about multi-factor authentication including the information listed here, as well as a deep dive on the dozens of ways it can be hacked. Plus get advice on the best ways to defend your organization from the bad guys.
There are well over a dozen ways to hack MFA solutions. Some of these attacks have been successfully used against millions of MFA-protected users. Every particular type of MFA solution is susceptible to multiple hacking methods. There simply is no MFA solution that can’t be hacked, multiple ways. Anyone claiming that their solution is unhackable is either lying to you or naïve. Either way you don’t want to be doing business with them. There are some MFA methods are more resilient to hacking or particular types of hacking. Although in most cases, as an MFA becomes less susceptible to hacking, the harder it is for the end-user to use. Security is always a usability-security trade-off, and MFA Is no different. Many people mistakenly believe that their use of an MFA device makes them unhackable. Nothing could be further from the truth.
General Ways to Hack MFA
When thinking about how MFA solutions are hacked there are four general ways: Social Engineering, Technical, Physical Attack, and Mixed.
Social engineering refers to the involved human element using the MFA solution inadvertently in a way that results in its bypass or misuse.
Technical manipulation refers to the methods of exploitation and manipulation that did not require that the human user make a mistake.
Physical attacks involve things like copying fingerprints and directly access secret keys on a key fob using an electron microscope.
Many MFA hacking methods require a mixture of two or more methods, although the vast majority require social engineering along with a technical attack.
No matter what the hacking methods are, they are attempts at taking advantage of weaknesses between the steps of authentication: identity, authentication secret storage, authentication, or authorization. The attacks are malicious interruption, modiﬁcation, or false representation of one or more of those steps or transitioning between those steps.
Note: Often times an MFA solution provider will defend their solution against a successful demonstrated hack by saying that their MFA solution, itself, didn’t fail. And while this may be true in the technical sense, MFA solutions are not ultimately tested in sterile laboratories where only direct attacks count. If the MFA solution fails the user for any reason, in the user’s mind, the MFA solution has failed. They doesn’t care so much about the details of whether or not the MFA solution itself was technically responsible.
Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, will explore 12 ways hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code to run. Plus, he'll share a (pre-filmed) hacking demo by KnowBe4's Chief Hacking Officer, Kevin Mitnick.
All multi-factor authentication (MFA) mechanisms can be compromised, and in some cases, it's as simple as sending a traditional phishing email. Want to know how to defend against MFA hacks? This eBook covers over a dozen different ways to hack various types of MFA and how to defend against those attacks.