Not All MFA Is Equal: Lessons From MFA Bypass Attacks

One-time passwords are one of the most relied-on forms of multi-factor authentication (MFA). They’re also failing miserably at keeping simple attacks at bay. Any shared secret a user can unknowingly hand over is a target for cybercriminals, even short-lived TOTPs.

Consider this: What if the multi-factor authentication your users rely on couldn’t save your organization from a large-scale account takeover? That’s what happened to an organization using SMS one-time passwords to secure customer accounts. We’ll call the affected organization “Example Company,” or EC for short.

By deploying a replica of the real EC login page and a “spoofed” URL — a similar-looking (but fake) web address — threat actors intercepted user credentials and OTPs in real-time. This allowed them to authenticate on the legitimate site, granting full account access and potentially persistent tokens or cookies via the “remember me” function.

Figure 1: SMS MFA bypass attack using MITM tactics

This is not an isolated incident. Numerous high-profile breaches highlight the glaring insufficiency of traditional MFA implementations. Don’t get the wrong idea, though: two factors are still better than one. As Slavik Markovich asserts in SC Magazine, “MFA implementation remains an essential pillar in identity security.” He further points out that “when properly configured, MFA blocks 99% of attacks.”

Snowflake, a cloud data provider serving large enterprises like AT&T, is still reeling from a breach involving user credentials — reportedly without MFA in place. AT&T paid a whopping 5.7 Bitcoin ($370,000 USD at the time of payment) ransom to the cybercriminals responsible, a deal struck for deleting the stolen data. Could MFA have saved the telecom company over a quarter million? It would have certainly made it much harder to abscond with 109 million customers’ call and text messaging metadata.

Yet, despite the effectiveness of MFA, adoption lags. A recent Wall Street Journal article highlights this gap, quoting Keeper Security CTO Craig Lurey: “MFA isn’t always easy. Older technology might not be able to run the software necessary for MFA.” Users, too, are to blame, Lurey told the Journal, noting they “push back against MFA as cumbersome.”

With MFA adoption meeting such resistance, it’s a tough pill to swallow when some implementations are still phishable and vulnerable to attack. To better defend against attacks that can defeat vulnerable MFA implementations, we need to understand how these tactics tick.

The Anatomy of an SMS MFA Bypass Attack

The threat actor that targeted EC, the company in my initial example, didn’t use sophisticated methods to overwhelm network infrastructure or exploit a backdoor. They went after unsuspecting users, tricking them into handing over credentials on an impostor login page. After plying the real site for an MFA challenge sent to users’ phones, it was a simple matter of collecting SMS OTPs and logging in.

This method, known as a man-in-the-middle (MITM) attack, is increasingly common. While some MFA bypass tactics like prompt bombing and basic social engineering rely on the naivety of users, a pixel-perfect MITM attempt can be much more convincing — yet still deviously simple. The attacker doesn’t need to hijack a session, steal cookies, or swap a SIM card. 

Here’s a breakdown of a typical MITM attack:

1. The threat actor creates (or purchases a kit containing) a convincing imitation of a genuine login page, often using a domain name that looks similar to the real one.
2. Users are lured to this site, usually through phishing emails or malicious ads.
3. When a user enters their credentials, the attacker captures them.
4. If MFA is required, the legitimate site sends a one-time code to the user.
5. The user, still connected to the fake site, enters this code, which the cybercriminal then uses to log in on the real site.

The genius of MITM attacks, and their danger, is simplicity. The fraudster doesn’t need to hijack a session, steal cookies, or swap a SIM card. It doesn’t require breaking encryption or brute-forcing passwords. Instead, it leverages human behavior and the limitations of certain MFA methods, particularly those relying on one-time passwords with a longer lifespan. 

But what makes this tactic particularly insidious is that it can bypass MFA in real-time. The user thinks they’re going through a normal, secure login process, complete with the anticipated MFA step. In reality, they’re handing over their account to a cybercriminal.

Simple MITM attacks are significantly easier to pull off for novice attackers compared to increasingly popular AITM (adversary-in-the-middle) variants, which typically require an indirect or reverse proxy to collect session tokens. However, with AITM kits readily available from open-source projects like EvilProxy and the PhaaS (phishing-as-a-service) package from Storm-1011, more complex approaches are available to script kiddies willing to learn basic functions.

Not All MFA Is Created Equally

MFA might have prevented or contained the Snowflake breach, but it also might have been a story like TTS, the travel platform. The harsh reality is that not all MFA is created equally. Some current popular methods, like SMS OTPs, are simply not strong enough to defend against increasingly advanced and persistent threats.

The root of the problem lies with the authentication factors themselves. Knowledge-based factors like passwords and OTPs are inherently vulnerable to social engineering. Even inherence factors can be spoofed, hijacked, or bypassed without proper safeguards. Only possession factors, when properly implemented using public key cryptography (as with FIDO2/U2F or passkeys), offer sufficient protection against MFA bypass attacks.

Case in point: TTS, our travel platform example, used SMS OTPs. It’s technically MFA, but it’s a weak variant. It’s high time we faced the fact that SMS was never intended to be used as a security mechanism, and text messages are always out-of-band. Apart from the direct threat of SIM swaps, SMS OTPs time out more slowly than their TOTP authenticator app counterparts, which makes them magnets for phishing. 

The same weaknesses are present in email and authenticator app OTPs. Anything a user can see and share with a cybercriminal, assume it will be a target. Magic links could have helped in both breaches we discussed because they are links that don’t require manual input. An attacker positioned as a man in the middle wouldn’t be able to intercept a magic link. Instead, they’d be forced to breach the target user’s email account. 

This underscores a painfully obvious issue at the core of our MFA landscape: shared, transferable secrets. Whether it’s an SMS, email, or even time-based OTP from an authenticator app, these methods all rely on a piece of information that can be knowingly (or unknowingly) shared by the user. Same-device authentication is the only way to increase the certainty you’re dealing with the person who initiated the MFA challenge.

The Key to Secure MFA Is in Your User’s Device

Possession-based authentication offers a promising solution to the problems posed by out-of-band MFA. With device-enabled auth methods creating reliable, secure ecosystems, the “what you have” factor is open to anyone with a capable smartphone or browser. 

In today’s threat landscape, the key to stopping MFA bypass attacks is in your user’s device. Here’s why:

• No shared, transferable secrets: Unlike OTPs, there’s no code for users to manually enter or click. The authentication process happens through device-bound properties that can’t be intercepted or duplicated.
• Genuine same-device authentication: Biometrics or a PIN can prove presence, but more significantly, they ensure it’s all happening on the same device.
• Phishing resistance: Since there’s no secret for unsuspecting users to enter spoofed URLs, phishing attempts become largely pointless. A fake login page can’t steal a user’s smartphone.
• Smoother UX: Users don’t need to wait for (or miss) SMSes, emails, or copy codes from an app. A simple PIN or biometric verification is all it takes.
• Reduced reliance on out-of-band ecosystems: SMS, email, and authenticator app OTPs may be convenient, but they’re a nightmare when a threat actor gets through.

Admittedly, there are some adoption hurdles that we need to face. Transitioning to these newer, more secure MFA methods can pose financial challenges when organizations update their infrastructure. It can cause uncertainty among uninformed users who view biometric authentication with skepticism (which is often misplaced when it comes to FIDO authentication). However, moving to device-based MFA is a necessary, essential step for companies with vulnerable user populations still using OTPs for MFA.

For organizations serious about security, it’s not worth waiting for an expensive MFA bypass attack. The cost of a modern solution is fractional when compared to the reputation loss and financial burden of a breach. Despite the minor roadblocks to adoption, it’s up to security leaders to lead the charge toward safer, possession-based MFA — and far, far away from shared secrets.