Criminal threat actors regularly use stolen or guessed credentials for initial access during attacks. Often, they succeed because companies protect remote access solutions like remote data protocol gateways or virtual private network endpoints only with passwords. Naturally, we regularly advise customers to boost security by implementing multi-factor authentication (MFA).
MFA makes sense for more than just internet-facing applications. Implementing it on accounts with access to critical assets, even for already authenticated users, adds additional protection. Tokens, IP addresses, certificates, computer names, MAC addresses, group membership, geographical location, or even time-of-day can all be extra authentication methods.
However, we never let our customers believe that MFA solves all issues. There are several potential pitfalls to consider. Some relate to implementation oversights or challenges, others to specific bypass techniques developed by threat actors.
Not all types of MFA are equal, and not everything called MFA is MFA. Requiring a third piece of static authentication data to login is not MFA. MFA demands two or more of three types of authentication factor – something you know (a password), something you are (a biometric), and something you have (an authenticator app). SMS-based authentication solutions check the “something you have,” box, but are vulnerable to sim-swapping and interception attacks. MFA apps that only require the user to hit accept increase the odds of inadvertently authorizing a request, compared to solutions that require manual code input.
Legacy authentication protocols like IMAP, SMTP, POP and MAPI cannot enforce MFA. If they aren’t disabled, threat actors may leverage them to launch attacks. Some organizations may also omit certain applications from MFA entirely or allow authorized exceptions like service accounts. In a recent engagement, our pentesting team discovered a forgotten system account without MFA. After logging in, they were prompted to enroll the account in MFA, giving them access to the environment, and other services and applications.
One of our incident response (IR) engagements in 2021 revealed how a threat actor used a gap and a loophole in the MFA implementation to bypass it. First, they used stolen or guessed credentials to access a password-only email account. Then they tried to access an MFA-protected system, which allowed the MFA token to be sent to the already compromised email address. This let the threat actor to enroll in MFA. If the MFA implementation had required access to a physical device or hardware token, the threat actor would have been stopped from progressing further.
Organizations must also train their employees to use MFA properly and recognize signs of suspicious behaviour. In one IR engagement, a threat actor used “pester power” by generating repeated authentication requests sent to the token-based authentication app belonging to an employee of the compromised organization. The employee eventually gave in and approved a request, giving the threat actor access.
Bypass techniques include phishing kits that leverage transparent reverse proxy to snoop on browser sessions to steal both credentials and session cookies. This lets threat actors hijack already authenticated sessions, bypassing MFA. These can be detected using TLS fingerprinting.
The Golden SAML technique was used by threat actors in the 2020 SolarWinds breach to forge a signed SAML token, allowing them to bypass MFA and move from a target’s on-premises environment to their cloud environment. It’s essential to use hardware or software to protect the identity provider’s private key for the security of SAML tokens.
Some bypass techniques are complex and esoteric. Others are alarmingly simple, thanks to implementation oversights. But the fact that it’s possible to bypass MFA is not a reason to not use it at all.
Think about an organization as a house. PIN code door entry beats leaving the door unlocked, but there’s certainly a need for more security. It’s clearly better to use a PIN code, plus a physical key. The best option: a combination of PIN code, key, and fingerprint reader. But even though it’s possible to forget the code, lose the key, or, worse still, suffer the rare misfortune of losing your fingerprint, it still makes sense to have all those levels of security.
Implementing MFA may seem a mammoth, expensive task for smaller organizations, but today, it’s much easier to achieve comprehensive MFA coverage than it was. Coupling an MFA solution to the organization’s identity provider ensures that all related apps and services are covered. On top of that, implementing MFA also means implementing centralized authentication, with all the multiple benefits that brings – centralized provisioning, easier risk-based authentication, and a single audit location.
Along with measures like timely patching, network segmentation, managing permissions, and using a comprehensive endpoint monitoring and detection solution, by implementing a modern MFA solution companies can stop threat actors from accessing networks. MFA bypasses remain rare – don’t make them a reason to put the organization at risk.
Jane Adams, information security research consultant, Secureworks
