Over the past decade multifactor authentication (MFA) has risen to become a cornerstone of modern cybersecurity. However, during that time as user authentication sophistication has improved, so have cybercriminal tactics. Just look at the rise of MFA bypass techniques.
Despite the ability of attackers to get past MFA, beliefs about its near perfection persist. Recent Proofpoint research shows that almost half of all accounts that were taken over by bad actors had MFA configured. Yet 89% of security professionals consider MFA a complete protection against account takeover. Clearly, there’s a disconnect.
That’s why a robust defense-in-depth approach is needed now more than ever. Layered security can help mitigate MFA bypass and reduce the likelihood of a significant breach that stems from an account takeover. In this blog post, we’ll explore why MFA is not enough and give you some tips to better protect your organization.
MFA bypass techniques
MFA is effective because it requires users to authenticate with multiple factors. It combines something they know (typically their password) with something they have (an authenticator app or token) or with something they are (like a face scan). While this sounds very secure, threat actors have found multiple ways to bypass MFA. Many of these tactics are highly sophisticated:
- Phishing attacks. In these attacks, users are tricked by cybercriminals into entering MFA codes or their login credentials into websites that are controlled by the attackers.
- MFA fatigue attacks. After threat actors steal a user’s password, they initiate a barrage of MFA push notifications. This can confuse users, leading them to approve the access request just to make the notifications stop.
- Session hijacking. With this technique, attackers steal session cookies post-authentication. This makes the preceding MFA-based authentication moot.
- SIM-swapping. This technique compromises SMS-based MFA by transferring the targets phone number to the attacker. To accomplish this, the threat actor needs to socially engineer the mobile carrier or have an insider at the organization.
- Pure social engineering. Most organizations have a way for remote workers to reset their passwords and MFA configurations without having to show up in person. However, without proper online identity verification the IT helpdesk can be socially engineered to hand over a spoofed employees’ credentials to the threat actor.
- Adversary-in-the-middle attacks. Attacker tools, like the specialized phishing kit Evilginx, intercepts session tokens. Those tokens are then relayed to legitimate services, which grant attackers access.
Check out this demo of an adversary-in-the-middle attack enabled by Evilginx, which Proofpoint Account Takeover Protection can detect and stop.
Why MFA alone is not enough
No doubt, MFA adds a valuable layer of user authentication security. And this makes it harder for threat actors to break in. But the bypass techniques that are described above show why it’s so risky to rely on any single security defense mechanism. The increasing prevalence of successful MFA bypass attacks just shows that determined attackers can adapt to overcome broadly deployed protections.
While it might seem obvious, it’s still important to always keep in mind that MFA should only be part of a larger security program. It’s not a definitive defense. The whole point of defense-in-depth means that implementing additional layers of security reduces the likelihood of a successful attack, even if one layer is breached.
Implementing a defense-in-depth strategy
A defense-in-depth approach involves multiple, overlapping security measures. This creates redundancies and reduces an attacker’s ability to exploit any vulnerabilities. Here’s how organizations can bolster their defenses against MFA bypass:
- Strengthen endpoint protection. Deploy endpoint detection and response (EDR) tools to identify and mitigate unauthorized access at the host level.
- Invest in defenses against credential phishing. Most threat actors prefer to use highly targeted, socially engineered phishing attacks to target your users’ credentials. That’s why Proofpoint continues to invest heavily in our email security platform.
- Adopt phishing-resistant MFA. Shift to more secure MFA methods, such as hardware security keys (FIDO2) or biometrics, which are less susceptible to phishing and MFA bypass attacks.
- Get specialized account takeover security systems. Implement tools such as Proofpoint Account Takeover Protection to detect, investigate, and automatically respond to cloud account takeovers as they occur, stopping them before they can do any significant damage.
- Educate users. Train your users to recognize phishing attempts and other social engineering tactics that target their MFA credentials. This is an area where Proofpoint security awareness training can help.
- Plan for incident response and recovery. Prepare for worst-case scenarios. Make sure to have a well-defined incident response plan that includes a way to quickly revoke access tokens and investigate suspicious logins. Proofpoint Account Takeover Protection can also help here.
The past, present and future of cybersecurity: proactive, layered defense
The battle against MFA bypass tactics is a good example of the dynamic nature of today’s cyber threats. When you adopt a defense-in-depth strategy, you ensure that even if one layer of your security fails there are other layers than can absorb the impact.
By investing in comprehensive, proactive security measures, you can stay ahead of attackers and protect your most valuable assets. Cybersecurity is not about building a single unbreakable wall; it’s about making every step harder for attackers.
Learn more by downloading our Account Takeover Protection data sheet. Or watch our demo of an adversary in the middle attack.