User Authentication

The Top 6 Solutions To Prevent MFA Bypass Attacks

Hackers are using new methods to circumvent multi-factor authentication controls. Here are the top solutions to stay protected against MFA bypass attacks.

The Top Solutions To Prevent MFA Bypass Attacks Include:
  • 1. Okta Multi-Factor Authentication
  • 2. Microsoft Azure Active Directory
  • 3. Yubico YubiKey
  • 4. Thales SafeNet Trusted Access
  • 5. HID Multi-Factor Authentication
  • 6. RSA SecureID

Multi-factor authentication (MFA) is security control that adds an extra layer of protection to accounts by requiring multiple factors of identity to be verified before allowing a user to access an account. For users, this typically means presenting a username and password, alongside a second factor: such as a one-time passcode, a fingerprint scan, or a software or hardware token stored on a trusted device.

According to Microsoft, implementing MFA can stop up to 99.99% of account compromise attempts. MFA makes it much harder for hackers to gain access to your data – even if they are able to steal your password in a phishing attempt or malware attack. Unfortunately, hackers don’t give up easily, and as MFA has become more widespread, they have evolved attack methods to bypass MFA controls. 

MFA bypass is a term used to describe a range of attack methods employed by hackers to circumvent MFA security controls. It ranges from social engineering attacks such as ‘MFA fatigue’ attacks, in which attackers spam authentication requests, up advanced malware hits to compromise software tokens in browser sessions. 

MFA comes in many different form factors, some of which offer better resilience against MFA Bypass attacks than others. The most secure forms of MFA will support FIDO authentication – a passwordless, open-source form of MFA, that is resistant to MFA fatigue attempts. FIDO keys will include features like “number matching” to reduce the risk of social engineering, and have built in anti-tamper features. In this article, we’ll outline the top five solutions to prevent MFA bypass. We’ll consider key features, pricing, and our recommendations for which organizations best fit these technologies. 

Okta Logo

Okta is a leading identity provider headquartered in San Francisco California. Okta secures more than 10,000 organizations globally, including companies such as Slack, T-Mobile and Twilio. They are known for secure multi-factor authentication, single sign-on, and identity and access management solutions.

Okta Features

  • Adaptive, context-based MFA with automated authentication policies based on factors such as location and IP address
  • Secure single sign-on to reduce reliance on passwords and scope for bypass attacks
  • Wide range of assurance factors and granular authentication policies, with over 7,000 pre-built integrations
  • User directory and identity management access gateway to manage permissions and move towards zero trust
  • Support for FIDO2 (WebAuthn) authenticator standards for highly secure, passwordless multi-factor authentication

Supported MFA methods: Passwords, PINs, OTPs, hardware tokens, biometrics, cryptographic device markers, FIDO, oAuth and more.

Pricing: Okta’s MFA solution starts at $3 per user per month. Okta Adaptive MFA starts at $6 per user per month, adding contextual access management policy controls.

Expert Insights Comments: Okta is a market leading MFA provider, offering highly secure, adaptive multi-factor authentication with a range of supported form factors, including FIDO, and granular authentication policies. We recommend organizations of all sizes looking to secure against MFA bypass and implement a comprehensive identity management platform should consider shortlisting Okta.

Microsoft logo

Microsoft Azure Active Directory is Microsoft’s enterprise identity service for Microsoft 365. This service manages user credentials, enforces secure multi-factor authentication, single sign-on, and conditional access polices to secure M365 accounts against compromise and takeover attacks.

Microsoft Azure Active Directory Features

  • Secure multi-factor authentication with number matching and FIDO support through Windows Hello to prevent MFA bypass
  • Single sign-on to allow users to log into multiple applications and services using only their M365 credentials
  • Conditional access and risk-based user governance policies for implementing zero trust strategies
  • Central admin dashboard with one interface to manage all M365 users
  • Widely supported by third-party applications for importing users and integrations

Supported MFA methods: Passwords, SMS and voice OTPs, Microsoft authenticator app (push notifications and biometrics), software tokens OTP, hardware tokens OTP, FIDO security keys, Windows Hello, and certificates. 

Pricing: Azure Premium P1 starts at $6 per user per month. Azure Premium P2 starts at $9 per user per month. A full breakdown of features for each tier can be viewed in the Active Directory documentation. Azure AD is also included in some Microsoft 365 licenses.

Expert Insights Comments: Azure Active Directory is one of the most widely used authentication platforms, managing millions of user identities every day. Their key differentiators are the huge volume of data they collect, and the vast range of supported integrations. Azure AD is a strong choice for M365 users looking to roll out bypass-resistant MFA and SSO across their users.

Yubico Logo

Yubico, founded in 2007 and headquartered in Palo Alto, California, is a leading provider of secure authentication technologies for endpoints, browsers, networks, and more. Yubico support the phishing resistant FIDO authentication standard and produce the YubiKey series, a hardware key designed to enable secure, passwordless multi-factor authentication.

Yubico YubiKey Features 

  • Small, portable hardware key which prevents phishing and account takeover by only enabling access to the physical key holder
  • Widely supported key with support for multiple authentication protocols, including FIDO, OTP, U2F and more
  • Multiple keys and form factors with support for NFC for mobile and desktops, biometrics, USB, and USB-C and more across different series
  • Meets highest level of security and compliance standards including new NIST SP800-63B guidelines
  • Yubico authenticator app stores user credentials on the device and not on smartphones, improving security for enterprise users

Supported Authentication Methods: Multi-protocol support, works across all browsers and operating systems, up to six form factors for different devices and a wide range of support including biometrics and NFC.

 Pricing: Pricing for a single YubiKey starts at $45 USD. Scalable enterprise service models available, specific pricing depends on key series and requirements. 

Expert Insights Comments: The YubiKey series is a strong hardware authentication option for enterprise organizations or small teams looking for the most secure method of implementing MFA and preventing account access. The devices are portable and widely supported across devices and applications for secure, phishing-resistant, passwordless authentication.

Thales Logo

Thales is a multi-national aerospace, transportation, defense, and security company. Their workforce identity and access management solution, SafeNet Trusted Access, delivers granular access management, secure, phishing-resistant MFA, single sign-on, and robust reporting and analytics.

Thales SafeNet Trusted Access Features 

  • Secure, phishing resistant MFA and SSO with a broad range of supported authentication methods
  • Passwordless authentication with support for FIDO authentication and Windows Hello
  • Granular contextual access management policies and detailed reporting
  • Wide range of supported integrations and supported authentication frameworks including SAML, RADIUS, and more
  • Detailed audit logs and reporting on attempted logins and suspicious activity 

Supported Authentication Methods: OTP push notifications via app and desktop, OTP hardware tokens (Both Thales own and third-party), pattern-based authentication, email and SMS, passwords, adaptive MFA, FIDO, passwordless authentication, biometrics, and more.

 SafeNet Trusted Access Pricing: Pricing for this solution is available directly from the vendor via quote request.

Expert Insights Comments: Thales SafeNet Trusted Access is a leading identity and access management solution which we recommend for large enterprise users, or organizations needing the maximum-security controls available to secure high value accounts. The solution is trusted and highly secure, supports a broad range of authentication technologies, and enforces granular contextual access policies.

HID Logo

HID are a global identity and access management provider for both cloud digital services and on-premises environments. HID’s MFA solution protects workforce identities and data with passwordless secure MFA, supporting a wide range of use cases, methods and form factors including biometrics readers, their own smart cards and keys, and industry standard methods including FIDO.

HID Multi-Factor Authentication Features:

  • Secure, phishing resistant multi-factor authentication with a wide range of supported methods and form factors, including hardware and software
  • Authentication controls can be extended to IT infrastructure as well as devices
  • Highly granular, adaptive authentication polices and workflows
  • Ensures compliance and helps to reduce insurance premiums with trusted, secure authentication for enterprise workforces
  • Convenient and seamless end-user access and streamlined integrations for faster deployment

Supported Authentication Methods: Smart cards, security keys, OPT tokens, mobile authentication, biometrics, passwordless, FIDO, PKI, and more.

Pricing: Pricing information can be requested from HID directly.

Expert Insights Comments: HID offer a comprehensive and secure range of MFA and access management solutions, which we would recommend to enterprise organizations, particularly those in the banking, healthcare, manufacturing, education and government sectors. Their solutions are resistant to phishing and convenient for end users, supporting a range of authentication methods and form factors ranging from hardware tokens to secure passwordless technology.

RSA Logo

RSA is a market leading provider of secure hardware authentication tokens and services. Their SecureID line of hardware devices enable secure, passwordless authentication using FIDO or OTP. RSA was founded in 1982 and currently secure more than 25 million enterprise identities across more than 12,000 customers.

RSA SecureID Features 

  • Secure passwordless, risk-based authentication, and convenient single sign-on enabled by hardware tokens
  • Wide range of supported, bypass-proof, authentication methods including OTP and FIDO-based tokens
  • Robust identity and lifecycle governance framework with automation to ensure compliance and implement Zero Trust policies
  • Detailed reporting and auditing of all connected users and devices
  • Ideal for on-premises deployments with remote workforces

 Supported Authentication Methods And Token Types: Hardware tokens, text messages, authentication app, software tokens, RADIUS, SAML, Active Directory, FIDO, and more.

Pricing: RSA SecureID pricing can be obtained by contacting the vendor directly.

Expert Insights Comment: RSA is one of the world’s most trusted identity providers, known for their highly secure authentication tokens and seamless MFA solutions. We recommend this solution to enterprise organizations and service providers looking for highly secure phishing resistant authentication tokens to deploy to on-premises environments and secure against MFA bypass and account compromises.

The Top 6 Solutions To Prevent MFA Bypass Attacks