Multi-factor authentication (MFA) is security control that adds an extra layer of protection to accounts by requiring multiple factors of identity to be verified before allowing a user to access an account. For users, this typically means presenting a username and password, alongside a second factor: such as a one-time passcode, a fingerprint scan, or a software or hardware token stored on a trusted device.
According to Microsoft, implementing MFA can stop up to 99.99% of account compromise attempts. MFA makes it much harder for hackers to gain access to your data – even if they are able to steal your password in a phishing attempt or malware attack. Unfortunately, hackers don’t give up easily, and as MFA has become more widespread, they have evolved attack methods to bypass MFA controls.
MFA bypass is a term used to describe a range of attack methods employed by hackers to circumvent MFA security controls. It ranges from social engineering attacks such as ‘MFA fatigue’ attacks, in which attackers spam authentication requests, up advanced malware hits to compromise software tokens in browser sessions.
MFA comes in many different form factors, some of which offer better resilience against MFA Bypass attacks than others. The most secure forms of MFA will support FIDO authentication – a passwordless, open-source form of MFA, that is resistant to MFA fatigue attempts. FIDO keys will include features like “number matching” to reduce the risk of social engineering, and have built in anti-tamper features.
In this article, we’ll outline the top 6 solutions to prevent MFA bypass. We’ll consider key features, pricing, and our recommendations for which organizations best fit these technologies.
Okta is a leading identity provider headquartered in San Francisco California. Okta secures more than 10,000 organizations globally, including companies such as Slack, T-Mobile and Twilio. They are known for secure multi-factor authentication, single sign-on, and identity and access management solutions.
Okta Features
Supported MFA methods: Passwords, PINs, OTPs, hardware tokens, biometrics, cryptographic device markers, FIDO, oAuth and more.
Pricing: Okta’s MFA solution starts at $3 per user per month. Okta Adaptive MFA starts at $6 per user per month, adding contextual access management policy controls.
Expert Insights Comments: Okta is a market leading MFA provider, offering highly secure, adaptive multi-factor authentication with a range of supported form factors, including FIDO, and granular authentication policies. We recommend organizations of all sizes looking to secure against MFA bypass and implement a comprehensive identity management platform should consider shortlisting Okta.
Microsoft Azure Active Directory is Microsoft’s enterprise identity service for Microsoft 365. This service manages user credentials, enforces secure multi-factor authentication, single sign-on, and conditional access polices to secure M365 accounts against compromise and takeover attacks.
Microsoft Azure Active Directory Features
Supported MFA methods: Passwords, SMS and voice OTPs, Microsoft authenticator app (push notifications and biometrics), software tokens OTP, hardware tokens OTP, FIDO security keys, Windows Hello, and certificates.
Pricing: Azure Premium P1 starts at $6 per user per month. Azure Premium P2 starts at $9 per user per month. A full breakdown of features for each tier can be viewed in the Active Directory documentation. Azure AD is also included in some Microsoft 365 licenses.
Expert Insights Comments: Azure Active Directory is one of the most widely used authentication platforms, managing millions of user identities every day. Their key differentiators are the huge volume of data they collect, and the vast range of supported integrations. Azure AD is a strong choice for M365 users looking to roll out bypass-resistant MFA and SSO across their users.
Yubico, founded in 2007 and headquartered in Palo Alto, California, is a leading provider of secure authentication technologies for endpoints, browsers, networks, and more. Yubico support the phishing resistant FIDO authentication standard and produce the YubiKey series, a hardware key designed to enable secure, passwordless multi-factor authentication.
Yubico YubiKey Features
Supported Authentication Methods: Multi-protocol support, works across all browsers and operating systems, up to six form factors for different devices and a wide range of support including biometrics and NFC.
Pricing: Pricing for a single YubiKey starts at $45 USD. Scalable enterprise service models available, specific pricing depends on key series and requirements.
Expert Insights Comments: The YubiKey series is a strong hardware authentication option for enterprise organizations or small teams looking for the most secure method of implementing MFA and preventing account access. The devices are portable and widely supported across devices and applications for secure, phishing-resistant, passwordless authentication.
Thales is a multi-national aerospace, transportation, defense, and security company. Their workforce identity and access management solution, SafeNet Trusted Access, delivers granular access management, secure, phishing-resistant MFA, single sign-on, and robust reporting and analytics.
Thales SafeNet Trusted Access Features
Supported Authentication Methods: OTP push notifications via app and desktop, OTP hardware tokens (Both Thales own and third-party), pattern-based authentication, email and SMS, passwords, adaptive MFA, FIDO, passwordless authentication, biometrics, and more.
SafeNet Trusted Access Pricing: Pricing for this solution is available directly from the vendor via quote request.
Expert Insights Comments: Thales SafeNet Trusted Access is a leading identity and access management solution which we recommend for large enterprise users, or organizations needing the maximum-security controls available to secure high value accounts. The solution is trusted and highly secure, supports a broad range of authentication technologies, and enforces granular contextual access policies.
HID are a global identity and access management provider for both cloud digital services and on-premises environments. HID’s MFA solution protects workforce identities and data with passwordless secure MFA, supporting a wide range of use cases, methods and form factors including biometrics readers, their own smart cards and keys, and industry standard methods including FIDO.
HID Multi-Factor Authentication Features:
Supported Authentication Methods: Smart cards, security keys, OPT tokens, mobile authentication, biometrics, passwordless, FIDO, PKI, and more.
Pricing: Pricing information can be requested from HID directly.
Expert Insights Comments: HID offer a comprehensive and secure range of MFA and access management solutions, which we would recommend to enterprise organizations, particularly those in the banking, healthcare, manufacturing, education and government sectors. Their solutions are resistant to phishing and convenient for end users, supporting a range of authentication methods and form factors ranging from hardware tokens to secure passwordless technology.
RSA is a market leading provider of secure hardware authentication tokens and services. Their SecureID line of hardware devices enable secure, passwordless authentication using FIDO or OTP. RSA was founded in 1982 and currently secure more than 25 million enterprise identities across more than 12,000 customers.
RSA SecureID Features
Supported Authentication Methods And Token Types: Hardware tokens, text messages, authentication app, software tokens, RADIUS, SAML, Active Directory, FIDO, and more.
Pricing: RSA SecureID pricing can be obtained by contacting the vendor directly.
Expert Insights Comment: RSA is one of the world’s most trusted identity providers, known for their highly secure authentication tokens and seamless MFA solutions. We recommend this solution to enterprise organizations and service providers looking for highly secure phishing resistant authentication tokens to deploy to on-premises environments and secure against MFA bypass and account compromises.
Improve account security. The answer is as simple as that. By using MFA, you are using (at least) two means of verifying identity. This drastically decreases the chances of a malicious actor being able to gain access to your account. For example, if you don’t use MFA, all an attacker needs to gain is your password to gain access to your account. If, however, your account also requires biometric authentication before permitting access, the attacker is unable to gain access.
Not all authentication factors were created equal. Some are harder for hackers to bypass, while others are easier to use in specific workplaces.
There are three common authentication factors that are used in MFA. These are knowledge factors, possession factors, and biometric factors.
Knowledge Factors – these include passwords and security questions. While these factors are quick and easy to make, they are not the most secure. Passwords are easily shared, or stolen, and can be hacked relatively easily. You should use a complex and unique password for each of your online accounts.
Possession Factors – these are things that you own. Most commonly, this will be a smartphone or device that is linked to your account. When you attempt to login, a notification will ask you to verify that you are trying to gain access. This method is secure and doesn’t negatively affect productivity massively.
Biometric Factors – these are some of the most secure factors in use. Biometric factors usually involve either facial recognition (FaceID) or fingerprint technology (TouchID). As many smartphone have these capabilities built in, use of this authentication factor has increased dramatically. This method is very hard to bypass.
Joel Witts is the Content Director at Expert Insights, meaning he oversees all articles published and topics covered. He is an experienced journalist and writer, specialising in identity and access management, Zero Trust, cloud business technologies, and cybersecurity. Joel is a co-host of the Expert Insights Podcast and conducts regular interviews with leading B2B tech industry experts, including directors at Microsoft and Google. Joel holds a First Class Honours degree in Journalism from Cardiff University.
Laura Iannini is an Information Security Engineer. She holds a Bachelor’s degree in Cybersecurity from the University of West Florida. Laura has experience with a variety of cybersecurity platforms and leads technical reviews of leading solutions. She conducts thorough product tests to ensure that Expert Insights’ reviews are definitive and insightful.