Vulnerabilities in Multi-Factor Authentication (And How to Address Them)

According to a survey by Microsoft on multi-factor authentication (MFA), 64% of IT executives use basic MFA, while only 43% have a strong MFA implemented. In the ever-growing digital space, these numbers are expected to increase.

However, even if more organizations are building and tightening their security efforts through the use of MFA, cybercriminals are still trying to break through the defenses. Even with the help of robust MFA, a system is not 100% protected from vulnerabilities.

Knowing what schemes to watch out for is an effective first step in preventing protocol bypassing efforts as well as data breaches.

Multi-Factor Authentication Vulnerabilities (And How to Address Them)

There are several ways hackers can circumvent an authentication system. These threats pose a challenge to the effectiveness of MFA. If you are implementing it on your systems or are setting up MFA for clients, here are a few common ways that bad actors use to get around secure authentication that you need to keep an eye out for:

1. Real-time phishing attacks

Phishing attacks are becoming more effective with more employees continuing to work from home. Bad actors carry out these real-time scams by building proxy websites and tricking victims into entering their authentication code and credentials like they normally would on the original site. While they enter their information on the proxy website, the information is then used to immediately open a session on the real website using the credentials being phished in real-time.

Common authentication methods that are phished this way include One Time Passwords (OTP), tokens, SMS codes, and of course regular usernames and passwords.

How to address it: Much like dealing with regular phishing, prevent real-time phishing scams by installing security software, such as antivirus programs, spam filters, and firewalls. Moreover, it would be prudent to always update company software, including OS, security software, apps, and browsers. Lastly, enforce password policies and use MFA. Multi-factor authentication creates an extra layer to attempt to bypass and utilizing a factor that cannot be phished such as biometrics significantly improves effectiveness.

2. Channel hijacking

Bad actors can easily utilize channel hijacking, whether through a computer or phone, as soon as the victim unnoticeably installs malware in their device. In authentication, a channel is a single communication channel, such as your mobile phone or web browser. You can be vulnerable to channel hijacking if your authentication factors can be submitted entirely in a single “channel”, such as an SMS text to verify your identity for a mobile app. Since the request and authentication can both be provided from the same mobile phone, this method of authentication is vulnerable to channel hijacking.

Alternatively, through man-in-the-browser or web injects, a computer virus can collect sensitive information right away. It is even possible for malware to take over a user’s number to raid the message inbox, hack voicemails, and steal an MFA from the phone.

How to address it: Malware is everywhere, so make sure to take necessary precautions such as prohibiting employees from connecting to public WiFi networks and implementing virtual private networks (VPNs) for more secure connections. Also, ensure login pages are secured using HTTPS, use the latest version of high-security browsers, and create separate Wi-Fi networks in your office for guests and employees.

3. Recovery attacks

Here’s a fact: even people in tech sometimes forget their MFA log-in credentials. While password recovery comes in handy in this situation, a temporary bypass can also invite a potential scam.

Confirmation links and recovery questions are usually sent through an alternate email address or SMS. However convenient it may seem, this recovery method is also vulnerable to phishing scammers and phone hijackers. When these bad actors take charge of your recovery attempt, they can use their access to get into your protected accounts.

How to address it: Always make sure company accounts and devices are secure. Require employees to provide longer passwords or passphrases and use password management plugins or software to make logins more seamless. For best results, incorporate MFA for more layers of security.

4. SIM swap attacks

You have a working mobile phone with an assigned number because you have a Subscriber Identity Module (SIM).

Although these numbers are unique, a SIM swap attack can easily duplicate the number and steal them from the user. This allows the hacker to access your accounts, including MFA and password recovery notifications, when they are delivered to your number.

This is a more common attack than you might think, and has even been used to hack the accounts of prominent figures, such as the CEO of Twitter. SIM swapping has also been used to steal millions of dollars worth of cryptocurrency. This method of attack is more common against the prominent individuals at your organization, such as the C-suite or senior management, who are often listed on company websites.

How to address it: To protect the business from SIM swapping, ask your service provider to set up a port block if available. This prevents identity thieves from stealing important accounts. If SMS is included in your company’s authentication process, add another layer such as biometric authentication. More importantly, train your employees in cybersecurity awareness, and to be deeply skeptical of any calls, emails, or texts that ask for personal information.

5. OTP-based attacks

While One-Time Passwords (OTP) make up for the drawbacks of password-based authentication, your usual 4- to 6-digit codes can still be cracked by bad actors.

Since OTPs can be sent via email or SMS, a quick hack on your device can instantly reveal the numbers to the attackers. They can also be obtained via fake websites if a user unknowingly enters them in real-time.

Furthermore, as these codes are randomly generated from a database, there is a possibility the storage can be infiltrated, allowing for additional and unauthorized access to these passwords.

How to address it: You can avoid OTP-based attacks by observing the same preventive measures as when dealing with phishing and hijacking scams. Be sure to integrate security measures into the company’s process and train staff so they can identify these scams and do what’s necessary to protect company assets.

6. Buggy and faulty systems

MFA solutions are all programming work. These systems are built and maintained through coding, just like any other software tool. Unfortunately, no single program is created bug-free for life. Vulnerabilities innate to this level of authentication can be published online and made available to scammers if not resolved quickly.

How to address it: Even the best MFA solution can encounter bugs—bumps like these call for a team of experts to respond and sort out the issue as soon as possible. The solution? A robust authentication system with the right people behind it.

Finding a Solution for Authentication Vulnerabilities

Despite being open to these vulnerabilities, multi-factor authentications are still an important layer of security that can protect you, your company, and your data. And while it requires relatively higher maintenance, it is better to have it than not at all.

If you’re looking for identity and access management assistance, you can partner with a company guaranteed to safeguard your business with the most comprehensive authentication solution. Check out Q5id and reach out to book a demo today!

You may also like…