How MFA Can Be Used Against You
Join the DZone community and get the full member experience.Join For Free
When signing in to a device or application, you are often asked for proof of identity, though a password or key, or even proof of ownership of another device that could be used to verify your identification. Another tool often used is biometrics, such as a fingerprint. MFA, or multi-factor authentication, is employed by asking for more than one of these tactics. This is very helpful when a password is compromised, or even if you forgot your password. When multi-factor authentication is implemented, it prompts the user for a password, as well as proof of ownership, which can be accessed from another personal device, such as a phone number or email address.
MFA Bypass Techniques
Most MFA implementations prompt a user to authenticate using both a password and an authorization code (usually delivered via email or SMS). If an application implements this MFA flow incorrectly, attackers can exploit weaknesses in the authentication flow to bypass MFA. Let's take a look at the different ways this can happen.
What happens if an attacker can log in via an alternative authentication mechanism that does not require MFA? For example, an application’s password reset functionality automatically logs you in after password reset. If password reset does not require MFA, attackers can use this functionality as an alternative way into the application.
Attackers may also exploit shared authentication systems. If another site of the same SSO (Single Sign-On) system does not require MFA, attackers could log into that site to bypass MFA.
If an attacker can compromise a user’s SSO password, they can log into the user’s account on Site B by logging into Site A, easily bypassing MFA.
Application Logic Errors
Sometimes, attackers can defeat MFA by simply exploiting application logic errors in the authentication process. A common logic error that compromises MFA is the “skippable authentication step”, which allows users to skip a step in the authentication process.
For example, let’s say an application implements a three-step login process. First, the application checks the user’s password. Then, the application sends an MFA code to the user and verifies it. Finally, the application asks a security question before logging the user in. I have seen incidences where users can reach step 3 in the authentication sequence without clearing step 1 and step 2. Sometimes, all the attacker has to do is to manipulate the site’s URL and request the page of a later stage directly.
Let’s say that the final stage of authentication is located at
example.com/security_questions. Could attackers request
example.com/security_questions directly without the MFA redirect?
Forging Recognized Devices
Some applications do not require MFA from “recognized devices” or devices where users have logged in before. This is sometimes called "adaptive multi-factor authentication (aMFA). In this case, attackers can try to figure out how the application recognizes a device, and forge the signature of a “recognized device”. For example, if a site marks recognized devices by using a predictable cookie, attackers can add the cookie value to their requests.
Understanding how your aMFA technology works is incredibly important for preventing potential MFA vulnerabilities.
Authorization Code Design Flaws
Attackers may also take advantage of poorly designed code generation and validation systems. Since MFA codes are often four to six-digit numbers, attackers may brute force the codes if no rate limiting is in place. Alternately, if an application does not invalidate each code after use, attackers may reuse previous codes. And, if codes are not randomly generated, attackers may also try to reverse the generation algorithm.
Other Attack Vectors
Other attack vectors are difficult to prevent and can happen even if the MFA implementation is faultless. One of these vectors is SIM swapping, in which attackers port the victim’s phone number to a phone they own. Attackers can also bypass MFA by launching a Man-In-The-Middle (MITM) attack or otherwise hijacking the user’s session. Finally, attackers can phish for the MFA code.
Preventing MFA Attacks
Multi-factor authentication adds to the security of your application only if implemented correctly. You can outsource MFA to a third-party provider like Okta Verify, Authy, or Google Authenticator. Despite these potential security flaws, MFA attacks are rarely scalable. Implementing MFA on your application whenever possible is still a safe bet to preventing most account takeover attacks.
Published at DZone with permission of Vickie Li, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.