The majority of data breaches continue to stem from stolen credentials. And while multi-factor authentication (MFA) remains one of the most essential and effective controls against account takeover using stolen credentials, it’s far from universally adopted.

However, there’s plenty of evidence today to suggest that users are coming to accept and expect MFA as part of their everyday sign-in experience.

With this in mind, CISOs must consider how attackers are likely to respond when MFA coverage becomes substantially higher compared to today. Increasingly, organizations are targeted not on the basis of whether accounts are protected by MFA, but by how easily attackers can bypass the MFA.

In today’s threat environment, security leaders should assess which of their authentication flows need to be phishing-resistant.

The evolution of MFA bypass

The most common forms of MFA bypass are those in which an adversary armed with stolen credentials doesn’t get prompted with an MFA challenge. At times that’s because of some form of misconfiguration: for example, access to Microsoft 365 won’t always require MFA if administrators don’t explicitly deny legacy authentication to Exchange online. Our research shows organizations 50x more likely to get targeted by this type of attack if they don’t get this configuration right.

Equally, the theft of session cookies by infostealer malware offers windows of opportunity for attackers to hijack legitimate browser sessions without being presented an MFA challenge.

Adversaries can also bypass MFA if they previously compromised a trusted channel for authentication or password reset tokens, such as during SIM swapping attacks or when tokens are sent to a compromised email account. When this happens, the secret used to verify a login event is sent to a device or user account controlled by the attacker.

The next most common form of MFA bypass stems from phishing and other forms of social engineering.

Most commodity phishing kits are designed to capture the target’s username and password, as well as the one time password (OTP) used to verify the user during an MFA challenge. Phishing kits often pipe these stolen credentials directly to a Telegram channel or some other online forum so as to use them prior to the OTP expiring. When OTPs do expire, we often observe attackers engaging in second-stage social engineering attacks – sometimes calling their target on the phone or engaging in MFA fatigue attacks.

However, the phishing attacks that most often lead to an account takeover event work quite differently. They use real-time, adversary-in-the-middle (AiTM) phishing proxies. As with a static phishing campaign, the target gets tricked into entering their credentials into an attacker-controlled phishing site. But when that phishing site also acts as a proxy, it relays user credentials to the legitimate web application the user intends to sign in to, and relays most MFA challenges back and forth between the user and the legitimate web application. This can let attackers capture both user credentials and intercept the session token returned by the legitimate web app to the target’s browser.

Real-time phishing campaigns are subsequently capable of bypassing any authentication flow that relies on password and OTPs generated via authenticator apps, or delivered via SMS and email.

We’ve observed a steady increase in AiTM capabilities since they were first introduced in 2017. In late 2022, the volume of attacks increased dramatically after these capabilities were made available to a larger number of lesser-skilled actors via services that rent the infrastructure, configuration and phishing templates “as-a-service” at very affordable prices. Phishing-as-a-service has democratized access to what was previously a boutique capability, and attackers of all motivations are making use of it.

The need for phishing-resistant MFA

According to the National Institute of Standards and Technology (NIST), phishing resistance requires that the domain of the website the user signs into has been tied to the user’s authenticator in some way. This ensures the authenticator won’t ever issue the user’s credentials to a fake phishing webpage.

Examples include PKI-based passwordless authenticators, FIDO2 WebAuthn authenticators (either roaming security keys or platform authenticators built into user devices) and PIV Smart Cards. When phishing resistance gets enforced by the identity provider (IdP), these authenticators prevent AiTM attacks and most other forms of social engineering.

So many customers have swapped out their existing authenticators to exclusively require these methods of signing-in. The benefits have been borne out in multiple failed attacks against organizations that have embraced phishing resistance.

While security has been the prime motivation, phishing resistant authenticators almost universally offer a far better user experience than passwords or one-time codes. They reduce the time required for users to authenticate. It’s one of those rare moments in technology where the user experience and security are in harmony, rather than in tension.

Harmony is good, but expect a few speed bumps, such as when users need to authenticate to native applications that perform authentication using a WebView. These authentication events are infrequent, and security pros can handle them with temporary exemption processes that allow for OTP under limited, highly-monitored conditions. Given the escalating threat environment, we expect these app developers will phase out methods of authentication that don’t support phishing resistance in the very near future.

Bob Lord, a senior technical advisor to the Cybersecurity and Infrastructure Security Agency (CISA), has been monitoring both the threat environment and the relatively slow adoption of phishing resistant authenticators closely. The problem until now, Lord says, is that “people are not focused on what they can do, but are fixated on what they cannot do, and end up doing nothing.”

Given the threat, and the mainstream availability of these low-cost controls, the we need to act now. Enforcing phishing resistance offers an opportunity to deploy one of those rare features a security team can deliver that drives a meaningful reduction in risk.

Brett Winterford, Regional CSO, APAC, Okta