February 24, 2021
Multi-Factor Authentication (MFA) has long been recommended by the information security community to help secure user accounts. According to Microsoft, “MFA can block over 99.9% of account compromise attacks.” However, you need not look very far to find reports and articles describing successful account compromise despite MFA being enabled. In fact, Ankura regularly encounters such situations in its case work. With that in mind, just how effective is MFA? This article will cover vulnerabilities often exploited by threat actors when MFA is in place, examples of MFA bypass attacks observed by Ankura, and recommendations for businesses to harden and supplement their MFA deployment.
MFA provides additional verification requirements to help protect an account’s private information. Online services commonly implement MFA by requiring a user to prove their identity through something they know (e.g. a password) and something they have (e.g. a smart card, security token, etc.). This is analogous to a physical entry door requiring both a passcode entered through an electronic keypad and a physical key to unlock a deadbolt before allowing entry. For an online email account, a common manifestation of MFA is the account service or identity provider sending a text message containing a one-time code to the user’s registered mobile device following the successful entry of the account username and password. When the user receives the one-time code, they must pass the code to the online account to fully authenticate and access their information. Other examples leverage a mobile application to streamline the process. In short, MFA requires a user to authenticate with more than just a username and password before providing access to an account protected by MFA.
In cases where an attacker successfully gains access to an account despite MFA being enabled, it is often the case that the attacker was able to bypass MFA as opposed to compromising the MFA device. In other words, the attacker was able to successfully log in to an account without providing the second factor, MFA. In other cases, an attacker may socially engineer the victim user into providing the one-time code to the attacker.
Ankura routinely encounters situations where MFA fails to protect a user’s account. For example, Ankura has observed attackers using legacy mail clients such as Mozilla Thunderbird which rely on protocols that do not support MFA. Often, email environments are configured to allow authentication from such legacy clients even when MFA is enabled in the environment. This allows a user (or an attacker) to authenticate to an account that has MFA enabled without providing the second factor by simply using a mail client that does not support MFA. In other cases, Ankura has observed attackers exploiting MFA-protected accounts using techniques such as session hijacking. In such cases, attackers not only bypass the need for a second factor, they eliminate the need to provide a username and password as well. Although not as common, tactics such as session hijacking present a risk to MFA deployments.
With all the issues facing MFA today, what can businesses do to better secure their information that is protected by MFA? Ankura recommends three key focus areas for hardening deployment of MFA:
- Enable MFA where possible: The first step in hardening MFA is ensuring that it is deployed where possible. Ankura routinely encounters environments without MFA in place, despite the fact that most modern cloud-based email platforms and other cloud-native applications are well equipped for MFA deployment.
- Disable legacy authentication protocols: this setting will require users authenticating in the environment to use a client that supports MFA such as Microsoft Outlook 2016 and will greatly hinder common MFA bypass techniques used by attackers.
- Ensure adequate logging for MFA applications: Ensuring that an account and the MFA actions taken on the account are logged can greatly reduce potential issues should an account compromise take place. In the event of an account compromise, an absence of logging can prevent investigators from fully determining the nature and extent of a compromise. Logging for MFA-enabled applications can also aid in pinpointing the specific attack vector when tactics such as session hijacking are employed.
MFA is an important countermeasure and protection for user accounts and has long been recommended by security professionals. Although MFA provides a significant layer of security, it is by no means impermeable by attackers. Indeed, Ankura regularly observes clients victimized by MFA bypass techniques in its casework. Despite the established weaknesses of some MFA implementations, there are steps that businesses can take to better secure the information protected by MFA-enabled accounts. Through focusing on the previously mentioned key areas for deployment and hardening of MFA, businesses can work to better protect their valuable information and be better positioned should an account compromise occur.
“Multi-Factor Authentication: Panacea or Paper Tiger,” Ankura Consulting; 2/25/2021; Hale, Jason; Riley, Brent; Catalan, Brandon.