How Attackers Bypass MFA

To verify your identity, applications typically ask you to provide something you know, such as a password or a secret key. They may also ask you to prove ownership of something you have, such as a phone or device. Finally, they may ask for proof of who you are by utilizing biometrics. Multi-factor authentication, or MFA, refers to the practice of requiring users to prove their identities in more than one way. MFA protects users in the event of password compromise. When utilized, MFA requires users to prove their identity with a password and proof of ownership of some other factor, typically a phone number or email account.

Photo by iMattSmart on Unsplash

MFA Bypass Techniques

Most MFA implementations prompt a user to authenticate using both a password and an authorization code (usually delivered via email or SMS). If an application implements this MFA flow incorrectly, attackers can exploit weaknesses in the authentication flow to bypass MFA. Let's take a look at the different ways this can happen.

Alternative Authentication

What happens if an attacker can log in via an alternative authentication mechanism that does not require MFA? For example, an application’s password reset functionality automatically logs you in after password reset. If password reset does not require MFA, attackers can use this functionality as an alternative way into the application.

Single Sign-On

Attackers may also exploit shared authentication systems. If another site of the same SSO (Single Sign-On) system does not require MFA, attackers could log into that site to bypass MFA.

Site A: does not require MFA
Site B: requires MFA
Anyone logged into Site A is automatically logged into Site B.

If an attacker can compromise a user’s SSO password, they can log into the user’s account on Site B by logging into Site A, easily bypassing MFA.

Application Logic Errors

Sometimes, attackers can defeat MFA by simply exploiting application logic errors in the authentication process. A common logic error that compromises MFA is the “skippable authentication step”, which allows users to skip a step in the authentication process.

Step 1 (Password Check) -> Step 2 (MFA) -> Step 3 (Security Questions)

For example, let’s say an application implements a three-step login process. First, the application checks the user’s password. Then, the application sends an MFA code to the user and verifies it. Finally, the application asks a security question before logging the user in. I have seen incidences where users can reach step 3 in the authentication sequence without clearing step 1 and step 2. Sometimes, all the attacker has to do is to manipulate the site’s URL and request the page of a later stage directly.

1. example.com/login (Prompts user for the password.)
2. example.com/mfa (Checks MFA code, if code correct, redirect to example.com/security_questions.)
3. example.com/security_questions (Asks security questions.)
4. Login is successful!

Let’s say that the final stage of authentication is located at example.com/security_questions. Could attackers request example.com/security_questions directly without the MFA redirect?

Forging Recognized Devices

Some applications do not require MFA from “recognized devices” or devices where users have logged in before. This is sometimes called "adaptive multi-factor authentication (aMFA). In this case, attackers can try to figure out how the application recognizes a device, and forge the signature of a “recognized device”. For example, if a site marks recognized devices by using a predictable cookie, attackers can add the cookie value to their requests.

recognized-device=1

Understanding how your aMFA technology works is incredibly important for preventing potential MFA vulnerabilities.

Authorization Code Design Flaws

Attackers may also take advantage of poorly designed code generation and validation systems. Since MFA codes are often four to six-digit numbers, attackers may brute force the codes if no rate limiting is in place. Alternately, if an application does not invalidate each code after use, attackers may reuse previous codes. And, if codes are not randomly generated, attackers may also try to reverse the generation algorithm.

Other Attack Vectors

Other attack vectors are difficult to prevent and can happen even if the MFA implementation is faultless. One of these vectors is SIM swapping, in which attackers port the victim’s phone number to a phone they own. Attackers can also bypass MFA by launching a Man-In-The-Middle (MITM) attack or otherwise hijacking the user’s session. Finally, attackers can phish for the MFA code.

Preventing MFA Attacks

Multi-factor authentication adds to the security of your application only if implemented correctly. You can outsource MFA to a third-party provider like Okta Verify, Authy, or Google Authenticator. Despite these potential security flaws, MFA attacks are rarely scalable. Implementing MFA on your application whenever possible is still a safe bet to preventing most account takeover attacks.