How to Protect Corporate Accounts From Increasingly Common MFA Bypass Attacks?

mfa bypass

Implementing multi-factor authentication (MFA) has now become standard practice for most organizations. Compared to using passwords alone, having MFA in place significantly strengthens account security by making it extremely difficult for hackers to bypass authentication – provided that it is properly configured and correctly used. However, although “extremely difficult”, MFA bypass isn’t impossible. Hackers are now coming up with smarter approaches to bypass secondary authentication. As such, businesses shouldn’t take MFA as an invincible security measure and must stay on alert for potential MFA bypass attempts.

According to recent research by Auth0, a subsidiary of Okta, attackers are now frequently attacking MFA login processes to gain their way into corporate networks. The report indicated that exploitation attempts against MFA weaknesses have reached an all-time high, up significantly from 2021 and far exceeding levels seen in 2020. Okta said that its network detected 113 million attacks targeting MFA in the first quarter of 2022 alone.

This isn’t to doubt the effectiveness of MFA. An account secured by MFA will always be safer than one without. An increase in MFA attacks is rather inevitable as more and more organizations adopt MFA to secure their accounts. Nevertheless, MFA bypass attacks can be easily prevented with some thoughtful planning and configurations.

In this blog, we list and explain some common MFA bypass attack patterns that businesses should watch out for.


MFA Fatigue, the Most Concerning MFA Threat in 2022

Among all the commonly observed MFA bypass techniques, MFA fatigue is now gaining the most attention as it has led to some serious cybersecurity incidents throughout the year, including the widely reported breach of Uber’s internal systems in September. Different from typical cyberattacks, MFA fatigue doesn’t exploit technical vulnerabilities within the authentication process itself, but instead tries to trigger human fatigue and errors from the user’s end. The notion is that the human user makes the ultimate approval in any MFA process, such as by clicking on an authentication prompt, entering an OTP, or scanning a fingerprint. This approval process, when performed repetitively on a daily basis, can lead to fatigue and end up as an automatic and unconscious behaviour. Attackers are taking advantage of this phenomenon, impelling the user to unconsciously approve authentication without realizing the consequences.

How is it done? To launch an MFA fatigue attack, the attacker needs a set of primary login credentials, such as emails and passwords. Most threat actors have readily available primary login credentials at hand; some of these could be leaked from past data breaches, while others could be purchased from other cybercriminals on the dark web.

The attacker then uses these primary login credentials to log in to the targeted account repeatedly, prompting a secondary authentication request on the user’s smartphone every time an attempt is made. Many clueless users end up tapping on the verification button without a second thought, granting the attacker access to their account. Even when a user is aware of suspicious behaviour, they might end up overwhelmed by the repetitive authentication requests and accidentally approve one of them. In the worst scenario, the frequency of authentication requests can be so intense that the user finds it difficult to use their phone due to the bombardment of notifications, which leads to them approving the request. Given the way these attacks are conducted, MFA fatigue attacks are also referred to as MFA bombing or MFA push spam.

Since MFA fatigue attacks are normally initiated using automated tools, the attacker can easily bombard the victim’s smartphone with authentication requests for many days, while all it takes is one mistap to succeed – making it an effortless and effective attack method.

Despite being a very simple technique, MFA fatigue can lead to serious consequences because only one employee-level access is needed for an attacker to gain entry into a corporate network.


Social engineering

Social engineering has long been the greatest threat to account security. Like MFA fatigue, social engineering takes advantage of human misjudgments. Although setting up MFA largely reduces the success rate of social engineering attacks, hackers are using more personalized emails and well-built phishing pages to lure their victims into the trap step by step.

In a typical social engineering attack, the attacker would begin by sending the victim a phishing email. In the email, the attacker would impersonate an application service provider and ask the victim to log in via the provided link to accept some new terms and conditions if they wish to continue to use the service. The link in the email would then direct the victim to a fake login page. The primary login credentials the victim enters would be directly used by the attacker to log in at the real login page, prompting an OTP code to the victim, the victim then enters that OTP code into the fake login page again, passing that information down once more to the attacker.

A recent cybersecurity incident caused by social engineering can be observed in the phishing campaign against Okta, where 5,441 OTP codes were successfully collected.


SIM hacking

SIM hacking occurs when a hacker gains unauthorized access to a victim’s SIM card to compromise their phone number. There are many possible paths to SIM hacking, from sophisticated techniques like installing spyware on a victim’s phone, to methods as simple as impersonating the victim to request a new SIM card from the mobile service provider. What’s worse, if an attacker manages to gain physical access to the victim’s phone, they can also take out the SIM card and make a copy of it onto a blank SIM card. One way or another, having a compromised SIM card means that the attacker can gain full access to the victim’s text messages and receive all the OTP codes sent to that number.


Session hijacking

Session hijacking occurs when the attacker exploits a vulnerability in the web application service. It happens when a hacker obtains access to a user’s login session through a man-in-the-middle attack. The attacker can compromise the session token by stealing or predicting a valid session token, bypassing all forms of authentication.


How to Prevent MFA Bypass Attacks?

Enforce limitations on MFA request

To successfully launch an MFA fatigue attack, the attacker needs to repeatedly trigger authentication requests to keep the victim overwhelmed. The best way to prevent the victim from being bombarded with MFA requests is to limit the number of allowed requests within a certain timeframe. This gives the victim time to react, block notifications, and speak to the IT admin for assistance.


Shorten OTP valid duration

In social engineering and SIM hacking attacks, it can take a short while before the attacker is able to obtain the OTP from the victim and enter it into the login page. Although most application services have a default OTP duration of ten minutes, keeping the OTP validity duration as short as one to two minutes will significantly lower account security risk.


Strengthen employee training and awareness

As always, a simple yet effective preventative measure against all types of cybersecurity threats is to provide proper employee education and training. Unfortunately, many businesses neglect this practice. In terms of MFA, employees should be well informed about the common MFA bypass methods, especially on the potential danger of MFA fatigue. It is crucial for all employees to know that when receiving unknown authentication requests, they should contact their IT admin immediately instead of trying to reset their password themselves.



Penta Security’s SSO MFA Solution

The best way to manage MFA is to adopt an identity and access management (IAM) solution. iSIGN+ is a single sign-on (SSO) MFA solution that enables IT admins to easily configure MFA settings, monitor per-user service time and login behaviours, as well as disabling concurrent logins. Its SSO feature allows users to sign on to multiple accounts and services using one set of credentials, which is securely stored and managed using the industry’s most advanced encryption module.

Contact us to learn more about iSIGN+.


For more information on security implementation, check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Automotive, Energy, Industrial, and Urban Solutions: Penta IoT Security