Multi-factor authentication (MFA) is security control that adds an extra layer of protection to accounts by requiring multiple factors of identity to be verified before allowing a user to access an account. For users, this typically means presenting a username and password, alongside a second factor: such as a one-time passcode, a fingerprint scan, or a software or hardware token stored on a trusted device.
According to Microsoft, implementing MFA can stop up to 99.99% of account compromise attempts. MFA makes it much harder for hackers to gain access to your data – even if they are able to steal your password in a phishing attempt or malware attack. Unfortunately, hackers don’t give up easily, and as MFA has become more widespread, they have evolved attack methods to bypass MFA controls.
MFA bypass is a term used to describe a range of attack methods employed by hackers to circumvent MFA security controls. It ranges from social engineering attacks such as ‘MFA fatigue’ attacks, in which attackers spam authentication requests, up advanced malware hits to compromise software tokens in browser sessions.
MFA comes in many different form factors, some of which offer better resilience against MFA Bypass attacks than others. The most secure forms of MFA will support FIDO authentication – a passwordless, open-source form of MFA, that is resistant to MFA fatigue attempts. FIDO keys will include features like “number matching” to reduce the risk of social engineering, and have built in anti-tamper features. In this article, we’ll outline the top five solutions to prevent MFA bypass. We’ll consider key features, pricing, and our recommendations for which organizations best fit these technologies.