PayThink

Multifactor authentication is still hackable

Register now

Multifactor authentication promises to give us better login security, especially as compared to traditional, password-only methods. But that doesn’t mean that MFA can’t and won’t be attacked.

Hackers aren’t going to fold up their chairs and go home. In fact, many attacks against MFA are as easy to accomplish as sending a simple phishing email.

MFA is slowly replacing password-only methods for secure authentication. They block many types of attacks, such as a simple phishing attack which requests your login information, from being successful. You can’t be phished out of what you don’t know.

Studies have shown that using MFA significantly reduces some forms of hacking, particularly from bulk automated attacks. But targeted attacks are another matter. While MFA still helps, any MFA solution can be hacked at least a half-dozen ways. For as long as we’ve had MFA, it has been hacked and will always be susceptible to hacking.

And that’s an important point. Many MFA proponents believe that using MFA means they can’t be hacked or are far less likely to be successfully attacked. And that is true. But many of those same proponents think that it means MFA can’t be hacked.

Some MFA vendors literally say that their MFA solution is unhackable. Not understanding the difference between the two statements: less likely and can’t be done, will end up creating more cybersecurity risk, not less.

Here’s an example of a very simple MFA bypass attack. A victim is sent an email which contains a link to a common website that they know and trust. But the link in the email points to a near-look-alike URL, which takes them to a rogue website designed to look like the real, intended website. The rogue website functions as a man-in-the-middle proxying all information between the real website and the victim. Anything the real website asks for, such as an MFA code, will be sent to the user, and whatever the user responds with will be sent to the real website. After the user “successfully” logs, the proxy site will be able to steal the successful authentication cookie sent by the real website. That cookie will allow the proxy site to take complete control of the user’s account.

But if a user mistakenly thinks that using MFA means they don’t have to worry about simple phishing attacks or verify that they are clicking on the right intended URLs, then they are more likely to be tricked by the phishing scam.

For reprint and licensing requests for this article, click here.