Whether you’re typing in the answer to a security question, tapping your smartphone screen to approve a push notification, or scanning your finger on a biometric sensor, if you use two or more ways to verify your identity when logging in to a service, you’re using what’s referred to as a multi-factor authentication (MFA) system.
And there’s lots of evidence out there to suggest that MFA systems are pretty effective at securing your accounts.
But what that evidence often doesn’t tell you is that not all types of MFA are equally effective. Some factors are easier to compromise with brute force than others and, by nature, don’t provide the same level of protection as stronger factors of authentication. And some factors are more vulnerable to phishing attacks and social engineering because they rely on a human factor to be successful.
In January 2022, the US Government released a memorandum that advises against using phishable MFA (such as one-time passcodes and push notifications) and instead, invest in non-phishable MFA. And, though this advice is aimed at heads of executive departments and agencies, your business can certainly take it on board.
Throughout this article, we’ll take a look at some of the most common—yet weakest—secondary factors of authentication, how they can be compromised, and why you should ditch them. We’ll then explore which factors we can consider non-phishable, as well as some wider advice on protecting your users’ accounts.
But first, what is MFA?
What Is MFA?
MFA dictates that any user logging on to a system must prove their identity using two or more factors of authentication to be granted access. This helps provide better account security because, even if a bad actor manages to pass the primary method of authentication (usually by stealing or cracking the user’s password), they’ll still have to pass a second or third method before they’re granted access to that account.
Factors of authentication are generally split into three main categories:
- Things you know: These include passwords, security questions, and PIN codes.
- Things you have: These include hardware security tokens, authenticator apps, and email and SMS one-time passcodes.
- Things you are: These include the use of behavioral and physiological biometrics, such as fingerprint or facial scans or measurements of the way that users move or type.
To learn more, see our article that takes a deeper dive into the three types of authentication and how they work.
Not all types of MFA are built equally—and the combination of factors that choose to you implement will determine how airtight your MFA system is.
For example, choosing more phishable MFA factors (such as knowledge-based factors, which are inherently easy to social engineer) will make your system more phishable.
Which MFA Factors Are Considered Phishable?
Most commonly, MFA systems are based on the use of a password plus another factor—for example, a password and a push notification. This is mainly because there are a lot of legacy systems that still rely on passwords for access and because users tend to be most familiar and comfortable with using passwords as opposed to other methods.
According to the US Government’s recent advice, OTPs and push notifications are the least secure secondary methods of authentication:
“Many approaches to multi-factor authentication will not protect against sophisticated phishing attacks. […] Users can be fooled into providing a one-time code or responding to a security prompt that grants the attacker account access.”
One-time passcodes (OTPs) are a form of authenticating where a randomly generated code is sent to the user (either via SMS, voice call, email, or within their authenticator app) which is valid for one login only (hence, the name “one-time” passcodes). Users then simply enter the code into the login site.
Push notifications take the form of a pop-up notification on the user’s mobile device, which notifies the user of a login request and gives them the option to approve or deny it. Approval often requires the user to authenticate their identity again in some way—such as entering a PIN code or scanning their fingerprint—but once the user approves the notification, this completes the login.
The advice to discontinue the use of one-time passcodes as secondary factors of authentication isn’t particularly shocking. The US Government has been advising against using MFA that uses SMS and voice calls since as far back as 2017, and Director of Identity Security at Microsoft Alex Weinert similarly warned against using SMS and voice MFA in a 2020 blog post. But the advice to ditch push notifications is perhaps a little more surprising.
So, what makes these factors phishable?
5 Ways Your MFA Can Be Phished
In this section, we’ll take a look at the five most common ways that OTPs and push notifications can be socially engineered.
1. Man-In-The-Middle Attacks
Man-in-the-middle (MitM) attacks—or “real-time phishing” attacks—can be used to bypass numerous MFA factors, including OTPs.
A MitM attack involves a bad actor quite literally sitting in the middle of a user and the service they’re attempting to access, and relaying data between the two without either knowing that they’re there. To set this up, an attacker will most likely set up a fake login page and act as a proxy to fool the user into believing they’re logging into the genuine website. Whatever action the user takes on the fake site, the attacker will take on the genuine site and relay that information back to them. Let’s take a look at an example.
An unsuspecting user—let’s call them Alice—receives an email that appears to be from Microsoft, but has actually been sent by a cybercriminal. The email says that there’s been some suspicious activity on her account and that she urgently needs to log in to stop her account from being blocked. Alice clicks on the URL in the email and is taken to what appears to be the Microsoft login page (but remember, this is our hacker’s fake website that they’ve set up to look like the Microsoft login page).
When Alice enters her details on the fake login page, the hacker captures them and enters them on the real Microsoft site. If she has one-time passcodes enabled as her second factor of authentication, the hacker will request on the genuine site that a code is sent to her email/smartphone/authenticator app. Then, when Alice enters the code on the fake website, the hacker can enter it on the real site. And they’re in.
We should also note that authenticator app OTPs are actually slightly more secure than SMS, email, or voice OTPs when it comes to MitM attacks. This is because they refresh every minute (or, sometimes less), meaning the hacker would need to work very quickly to carry out a successful attack.
Using a MitM attack, the hacker could also capture the access control session cookie when the genuine site sends back the legitimate session token. This would then enable them to access Alice’s account without needing to enter her credentials or one-time passcode. This is known as a “pass-the-cookie” attack.
2. Man-In-The-Endpoint Attacks
Man-in-the-endpoint (MitE) attacks rely on socially engineering a victim into unknowingly installing malware on their device. This malware then enables a bad actor to connect with the device via a command-and-control (C&C) server and steal login credentials, session IDs, and more—without the victim ever knowing.
Let’s take a look at another example—but let’s give Alice a break. This time, Bob is under attack.
Bob receives an email from a “colleague” that contains a seemingly safe and inconspicuous attachment. Bob clicks on the file, and it automatically downloads to his device. Since the email is from who he believes to be his trusted colleague, he thinks nothing of it, and opens the downloaded file.
But what Bob doesn’t know, is that that file was actually a trojan—a piece of malware that’s designed to look and feel like a legitimate file or piece of software to trick a user into downloading and executing it. And now that the trojan is active on Bob’s device, the hacker can connect to the device via the C&C server, run hidden remote-access sessions in the background, bypass MFA systems, and steal secrets, credentials, session IDs, OTPs, and more.
3. SIM Swapping
SIM swapping involves a bad actor manipulating a network provider into swapping their victim’s SIM information with their own, so that all their victim’s communications are redirected to them. These attacks are specifically tied to using SMS and voice OTPs as secondary factors of authentication. Here’s how they work.
First, a bad actor captures their victim’s login credentials via a standard phishing attack. Without having access to these, there’s no point in performing the SIM swap.
Then the bad actor manipulates the network provider into changing the phone number associated with their target’s SIM card to their own. They do this either by impersonating their victim and claiming they’ve lost or replaced their device, or by bribery. If successful, all communications sent to the victim’s phone number are automatically redirected to the attacker, and the victim’s cellphone stops working.
Now that the attacker has its victim’s credentials as well as access to its SMS communications, it can not only log in using the credentials, but also bypass MFA by having the OTP sent to their own device.
What you might not expect is that these attacks are surprisingly common. In 2021, eight hackers were arrested for stealing more than $100 million in cryptocurrencies using SIM swapping attacks, while in 2022, the FBI released a public service announcement warning users about the prevalence of these attacks.
4. Push Notification Overload
A push notification sent to an authenticator app on a user’s smartphone might seem like a simple, safe, and convenient second factor of authentication. After all, for a bad actor to approve these notifications, they would need physical access to that device, right? Not always.
A common tactic that hackers have been leveraging is stealing their victim’s credentials via a phishing attack, logging into their accounts, and then repeatedly sending push notifications over and over until one is approved. By doing so, the hacker hopes to annoy their victim into approving one of the notifications, or that they’ll absent-mindedly approve one by mistake.
This tactic even works for push notifications that involve contextual information about the login as part of the notification—such as login time, location, and IP address—because hackers can often use IP proxies in the same geographical area as their victims to avoid suspicion.
And this tactic actually works. In a 2021 report, cybersecurity company Mandiant noted that it had observed multiple instances of successful push notification abuse by cyber-espionage group Nobelium—the group behind the infamous SolarWinds supply chain attack of 2020. These attacks are also surprisingly common, with organizations having experienced a 33% increase in push attacks in 2022.
5. False SMS Recovery
Lastly, false SMS recoveries are among the most common types of MFA hacks. These involve a hacker triggering a password reset for a service and then impersonating the vendor to trick their victim into sending the SMS recovery code directly to them. Using this, the hacker can set a new password and take over the victim’s entire account.
For this example, let’s bring back Alice.
All the hacker needs to know about Alice is her email address and phone number for this trick to work. To set off the chain of events, the hacker will firstly send an SMS message to Alice impersonating a vendor—let’s say Google. The text message says that there’s been some unusual activity on her account and that shortly she’ll receive an SMS code in a separate message, which she needs to send back to the first message to stop her account from being blocked.
The hacker will then trigger a password reset on Alice’s Gmail account and choose to have the recovery code sent via SMS. Alice receives the code and copies it back into her conversation with the hacker. Once the hacker has the code, they can then set a new password and gain full control over Alice’s account.
Which MFA Factors Are Non-Phishable?
We’ve focused on a lot of the doom and gloom that comes with using weaker types of MFA—but there is a silver lining to all of this. Knowing which MFA factors to avoid is half of the battle, and now you can focus your efforts on using strong, non-phishable MFA factors. In this section, we’ll run you through two examples of non-phishable MFA.
But before we get started, we’d like to remind you that nothing is un-hackable. Some MFA factors are certainly easier to hack than others—as we’ve demonstrated—but there’s no such thing as a completely un-hackable system. So, throughout this section, we’re going to look at examples of non-phishable MFA, not un-hackable MFA.
Let’s get into it.
Biometrics
Biometric authentication is a way of proving user identity using live biological traits that are completely unique to each user. These include physiological traits (such as facial and fingerprint scans, vein patterns, and hand geometry), as well as behavioral traits (such as the way that users walk, talk, type, move, and interact with their devices).
Using biometrics is one of the safer ways that you can prove user identity, because they’re extremely difficult to steal (but impossible to phish) and even more difficult to fake.
To authenticate identity, a user simply needs to scan a physiological trait or perform a certain behavior. The system will then compare the sample collected in this authentication attempt with the biometric “template” on file, and if it matches, they’re granted access.
Find out more about biometrics and how they work in our article: What Is Biometric Authentication And How Secure Is It? And to find the right biometric solution for your business, take a look at our guide: The Top 10 Biometric Authentication Solutions.
FIDO2 Hardware Security Tokens
FIDO2 is an umbrella term for a set of authentication specifications developed by FIDO Alliance (a consortium of tech companies) to increase authentication security and replace the use of passwords. Two key components of FIDO2 are the Word Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) and FIDO Alliance’s Client-to-Authenticator-Protocol (CTAP).
FIDO2 hardware security tokens often come in the form of security keys that users insert into their device ports to authenticate their identities—an example of this is the YubiKey range. Many come also with biometric fingerprint readers on them so that they provide two factors of authentication in one—something you have (the security key) and something you are (your fingerprint).
These hardware tokens are phish-proof because they’re based on FIDO2’s public key cryptography. This works using a cryptographic pair of keys (one public and one private), that work together to authenticate a user.
When a user registers with a new online service using their FIDO2 hardware token, a new key pair is generated on the device that they’re using—the public key stored in the service’s key database and the private key stored on the user’s device. From then on, users can prove their identity by simply using their private key.
Login happens locally, meaning a hacker can’t hijack the login session remotely and, because the user doesn’t actually have a set of credentials, they can’t give them away in a phishing attack.
Suggestions For Securing Your MFA
Here are some of the ways you can further secure your MFA systems against social engineering attacks.
Move Away From Passwords
Passwords are quite often a huge part of the issue when it comes to MFA attacks.
Organizations can enable passwordless authentication by ditching passwords as a factor altogether and leveraging FIDO2 passwordless standards. Passwordless authentication is generally considered far safer than using passwords, but can be controversial—as seen by the backlash that Microsoft experienced after ruling that all its users should log in using passwordless authentication in 2021.
To find the right passwordless solution for your business, take a look at our guide: The Top 10 Passwordless Authentication Solutions.
Ensure Backup Methods Of Authentication Are Just As Strong
Many vendors are beginning to adopt safer methods of authentication—such as enabling the use of smartcards or biometrics when logging in. But what happens when you’re having a bad fingerprint day and your authentication attempt keeps getting rejected, or if you lose your smartcard? How do you access your account?
Many vendors will offer alternative methods of proving identity as a failsafe in the event that one method fails. But the trouble is, many will offer weaker methods (such as OTPs) as the failsafe—which defeats the whole point. A hacker could then log into their victim’s account, purposely fail the more secure MFA factor, just so they can then attack the account via the weak failsafe factor.
Failsafes are always a good idea—especially if want to prevent your IT team from being flooded with frustrated users that are locked out of their accounts. But, if you do implement one, you should make sure it’s just as secure as the method it’s replacing.
Security Awareness Training For Users
Social engineering relies on human error to be successful. So, if you do continue to use phishable MFA factors (and, even if you don’t), we strongly advise enrolling your users in training to teach them how to spot and report phishing attacks.
Security awareness training is designed to educate your users on the types of attacks they might face, how to spot them, and how to respond to them. This is usually via a combination of modular training content and phishing simulations that test how your users would react to a real-life phishing email.
To find the right solutions for you, take a look at our guides:
- The Top 10 Security Awareness Training Solutions
- The Top 10 Phishing Simulation And Testing Solutions
- The Top 11 Phishing Awareness Training Solutions
- The Top 10 Security Awareness Content And Development Solutions
Summary
So, while not all MFA is phishable, a lot of it is. And it’s always better to stop an attack from happening in the first place rather than having to deal with the fallout after the fact.
So, ditch the OTPs and the push notifications (if you can), and invest in more secure, non-phishable MFA. Who knows, it could be the difference between a breach and business as usual.
