Everyone should use multifactor authentication (MFA), where they can, to protect valuable information. Everyone!
The problem is that the MFA used by most people and companies is barely better than passwords and just as easy to compromise. If possible, you and your company should strive to use phishing-resistant MFA.
Unfortunately, you usually do not have a choice. The vendor or service you are using forces you to use the MFA solution they have picked and almost always that solution is easily phishable. But where you do have control, try to pick and use phishing-resistant MFA. And when you can, pressure your vendors and service providers to select and use phishing-resistant MFA.
How Is MFA Easily Phishable?
In a nutshell, most MFA solutions can be bypassed by tricking the end user into clicking on a rogue URL that redirects them to a man-in-the-middle (MitM) proxy service, which then captures everything the user types into what they think is their legitimate website (including MFA login codes).
The best video demo of this is one by KnowBe4’s Chief Hacking Officer and infamous hacker, Kevin Mitnick. The summary of the steps include:
- Phishing email contained URL to fake look-alike/sound-alike website that was really a malicious MitM proxy
- Email tricks user into visiting malicious MitM proxy website
- User typed in credentials, which proxy, now pretending to be the legitimate customer, presented to legitimate website
- Legitimate website sent back legitimate session token, which Kevin then stole and replayed to take over the user’s session
Note: Kevin used Evilginx, but there are dozens, if not hundreds of ways to do this type of attack. But they all begin with phishing and tricking the user into clicking on a rogue URL link. If a user can be tricked into typing in their MFA code to a fake website, then this type of phishing attack will succeed against some portion of potential victims.
Microsoft recently reported that 10,000 organizations were recently targeted by a similar MFA-bypassing technique.
There are dozens of other types of phishing attacks that fool or get around MFA. Here are summary descriptions of a few others:
- Malicious actor pretends to be a vendor and sends you an SMS message asking you to send them a forthcoming SMS code that they are supposedly sending to you in a different thread. See CSO Online for an example.
- Push-based MFA can be bypassed because a sizable percentage of the user base will unwittingly approve a login that they are not actively doing. Sounds crazy, but it is a big problem.
- Social engineering a victim into downloading malware, which then records the user’s MFA code so that it can be re-used from the attacker’s computer.
- Social engineering tech support into doing a SIM Swap or into letting a social engineering hacker take over your account.
It is pretty clear that most MFA solutions can be socially engineered around like they were not even there. The main reason most users are moving from password to MFA solutions is to significantly reduce the risk of phishing and social engineering. It is a lot of effort, expense and time, to move to any MFA solution. Is it worth all that time and expense if the MFA solution you moved to can be easily phished? No!
But Will MFA Not Save Us?
Now many vendors will tell you that any MFA is good and that using any MFA significantly reduces your risk of being successfully attacked. And they are correct, but only for a very short time period. Today, most social engineering attackers do not specifically account for potential victims using MFA. About half of social engineering emails ask the potential victim to submit their password. That means if you are using MFA, and do not have a password, those types of requests are far more likely to fail than to succeed (although many of the same requests also try to trick the user into downloading malicious content as well).
The problem is hackers are quickly accounting for the increased use of MFA. Millions of people using MFA have been successfully hacked. And most of today’s attacks are quickly morphing into predicting that MFA may be used, accounting for that new type of authentication, and working, nevertheless. Today, thousands of automated programs and bots routinely look for and bypass MFA. It does not take a human adversary to get around MFA. It is automated now by the hundreds of thousands of victims.
And as more and more people go to MFA, as is happening in droves right now, attackers will just look more and more at ways to abuse and bypass MFA. It takes defenders years to get the right defenses in place. It takes attackers mere minutes to update their attacks. So, while there is some temporary protection in using MFA, “any MFA”, it is clear that most of it can easily be phished and bypassed just like logins using passwords. And that is bad. It is asking users to accept using harder to use authentication (i.e., MFA) and not get a lot more protection. Even worse, most users thought, or were even told, that using MFA would make them far less likely to be phished and hacked, and that just is not true (for most of today’s MFA solutions).
The U.S. Government Says Do Not Use Easily-Phishable MFA
It is not just KnowBe4 is worried about this. The U.S. government has stated this since 2017, in NIST SP 800-63 when they said not to use SMS-based or voice call-based MFA. Then in 2021 and 2022, they said not to use easily phishable MFA... including one-time codes and push-based notifications. In 2021, Presidential executive order (EO 14028) had a clarifying follow-up memo that stated, “For routine self-service access by agency staff, contractors and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, such as protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.” And they said the same thing again on Jan. 26, 2022.
What they, and KnowBe4, are saying is “Do not buy or use easily phishable MFA, when possible!” Our society collectively needs to say we will not accept or use easily-phishable MFA. We should not force users and organizations to use MFA solutions that are easily phished and bypassed. We deserve better. We should demand better.
So, what should we do?
First, when possible, do not buy or use easily phishable MFA. You often do not have a choice, it is forced upon you by the vendor or service. But when you can, try to avoid easily phishable MFA. If you are going to implement MFA, try to use a phishing-resistant MFA solution. If you are not sure if an MFA solution you are using is or is not easily phishable, try to use the examples above and see if you think your solution would be easily phishable. If you are still not sure, ask your MFA vendor to read this article and explain why their solution would or would not be easily phishable.
Note: I maintain an updated list of known phishing-resistant MFA solutions.
If your current MFA solution is susceptible to easy phishing, share your concerns with your vendor and ask them to implement features and protections that prevent easy phishing; or consider moving to a more phishing-resistant solution.
No matter what type of MFA you are using, easily phishable or not, but especially if you are using easily-phishable MFA, educate yourself, management, buyers and users (all stakeholders) about the strengths and weaknesses of the used or solution under consideration. If your solution can be easily phished, it is very important to share that with everyone using it. Share examples of how it can be easily phished and teach users how they can avoid being successfully phished (which usually means making sure any link they might click on is the real, legitimate link). If you have pushed-based MFA, make sure users understand that they should never approve login requests that they are not actively engaged in, and should report them to IT security. Any users of SMS-based MFA should understand the various attacks against SMS, and so on.
We should not be using easily phishable MFA! We need to reject easily phishable MFA and force more vendors to make more secure MFA solutions.