Over 50% of companies that use MFA are still successfully hacked.

Hacking Multi-Factor Authentication

Known:  “There is more than 12 ways to hack MFA Solutions”.  Majority of these attacks have been successfully used against millions of MFA-protected users.  Most of the attack methods will include links to new reports and examples of the exploitation.  Additionally, the theoretical attacks have not been used in a public attack yet, but are the threat the looms.  Many cases include a particular type of MFA solution and how it is susceptible to multiple hacking methods, Attacks are not just used one way, but similar ways against a many types MFA solutions.  Each attack is shown against the MFA method that it is often used against, but often can be used against other MFA solutions.

General Ways to Hack MFA

Analysis narrows down to compromised MFA by;

Social Engineering

Technical

Mixed.

Social engineering is the art of manipulating people so they give up confidential information.  Social engineering refers to the involved human element using the MFA solution inadvertently in a way that result in its bypass or misuse.  Technical manipulation refers to the methods of exploitation and manipulation that did not require that user make a mistake.  Many of the hacking methods presented below require a mixture of both human and technical weaknesses. 

No matter what the hacking methods are, they are attempts at taking advantage of weaknesses between the steps of authentication;  Identity, authentication secret storage, authentication, or authorization.  The attacks are malicious interruption, modification, or false representation of one or more of those steps or transitioning between those steps.

Likely an MFA solution provider will defend their solution against a successful demonstrated hack by saying that their MFA solution, itself, didn’t fail.  That could be true in the technical sense.  MFA solutions are typically not tested in laboratories where only direct attacks count.  If the MFA solution fails the user for any reason, in the user’s mind, the MFA solution has failed.  Very difficult for user to care about details.  Doesn’t matter the details of whether or not the MFA solution itself was technically responsible.  The user only knows that it failed them.

Session Hijacking

Is a method where after a successful, legitimate authentication, the legitimate user’s session is hijacked by and unauthorized party.  It is often due to the resulting access control token being stolen.  It can be initially transparent to the user or the user may unwittingly participate in their own hacking by responding to something as simple as a traditional phishing email.  No matter how it is done, the unauthorized attacker has either gained control over or copied the access control token, the unauthorized intruder can seize the session away from the legitimate user or fraudulently manipulate it.  When a sessioin has been hijacked, the attacker essentially assumes the hacked user’s identity for the entirety of the session.    Session hijacking has been around for decades and is one of the most common forms of authentication hacking, and it can be just as successful when used against MFA as well.  Session hijacking can be accomplished using a variety of different methods, including;

Session Unique Identifier Prediction

Theft of the session token on the network communication channel

Theft of the session token on the end-point.

Session Unique Identifier Prediction

Every time a user successfully authenticates to a website, using MFA or not, he/she gets sent back what is supposed to be a unique session token (i.e., cookie) or URL string, both of which are supposed to contain a randomly selected, unique identifier which specifies the legitimate user and his/her session to the website.  It is important that the unique identifier not be predictable enough that other third parties (i.e., hackers) can  predict what other people’s tokens or URL strings are or will be.

Sesson hackers look for websites with predictable unique identifiers.  Hackers usually do this by joining a targeted website as multiple, different, authenticated uses, and look for commonalities between the unique identifiers put in the cookie or URL string of each user….