Multi-Factor Authentication: How It Works, Why It’s Important and How It Can Be Hacked

Multi-factor authentication or MFA refers to login procedures that require users to verify their identity through additional steps beyond just their username and password. Additional safeguards such as a one-time password generated through a smartphone app make it harder for attackers to take control of accounts. In theory, they would need access to both a user’s basic credentials as well as their mobile phone or email address. In practice, there are a few methods cybercriminals can use to either break or bypass MFA.

There are different methods of identity verification (i.e. factors) that can be used to implement multi-factor authentication. The most common methods for MFA/2FA are:

For the best results, MFA should be based around two or more factors from different categories. Requiring two different passwords, for example, does very little to improve security, since hackers could steal both of them through similar methods. The goal of multi-factor authentication is to make it as difficult as possible for attackers to hijack an account, without creating too many barriers for legitimate users.

Aside from the three main categories of knowledge, ownership and inherent characteristics, some source also name time and location as factors for multi-factor authentication. However, experts considere these attribtues not strong enough to clearly verify the identity of a user. At least not as the only other attribute in a two-step system.

Time and location can, however, serve as a third or fourth check for additional security or provide a basis for context-based risk analysis. The circumstances surrounding a login attempt help security systems enforce login policies (no sign-ins outside of office hours) or identify suspicious activity (logins from other countries or continents).

The importance of two-tier verification can be summarized through a single number: According to Microsoft, accounts without MFA account for 99.9% of all hacked accounts in services like Azure AD and Microsoft 365. In other words, the risk of hackers stealing your account is far greater if you use basic authentication compared to a two-step system.

The reason behind this mismatched statistic is fairly simple: Despite the fact that nearly every website, application and digital service in the world uses passwords, they offer far less safety than users realize. To cope with having to remember dozens of logins, most people use very weak passwords: short, simple phrases consisting of common words. Brute-force methods such as rapid password guessing can crack these in mere minutes.

But even complex passwords can be easily circumvented using leaked credentials from previous hacks, keyloggers that track your typing or phishing campaigns that convince users to provide their login info voluntariy. In most attack scenarios, password strength does not matter. At least, it makes far less of a difference than adding another security check does.

Programmers and security experts are well aware that, put simply, passwords suck. They’re awkward to use, a hassle to remember and not particularly secure. Considering all these downsides, the end of passwords has been predicted many times over: In the glorious, passwordless future, users will prove their identity using credential tokens stored in decentralized wallets based on blockchain technology. Or maybe we’ll all carry FIDO keys wherever we go.

Despite the existence of safer methods of identity verification, even ones that are theoretically easier to use, passwords have managed to stick around long past their predicted end. And it seems likely that they’ll serve as the first step of login security for many years to come. Again, the reason is pretty simple: Think of the least tech-savvy person at your current job. Can you picture them successfully using a digital identity wallet or migrating passkeys to a new phone? Yeah, neither can I.

How secure multi-factor authentication is in practice depends on how it is implemented on both a technical and organizational level. While the use of MFA is a vast improvement over basic authentication methods, it’s important to realize that not all MFA is the same. Here are a few things to keep in mind to make MFA as secure as possible:

As the rate of account takeovers and identity-based attacks continues to grow, login security is becoming an increasingly important concern. While it’s understandable to respond to this trend by looking for the most secure method of verification, there are other factors to consider. As important as MFA is from a security perspective, it should not block business processes or drive users crazy.

Organizations that enforce MFA must strike the right balance between security and usability. This is for two reasons: First, restrictive safety measures can have a negative effect on productivity. If it takes your users forever to sign in to accounts, they have less time to focus on important tasks. Second, the more complex you make security controls, the bigger the temptation to circumvent them by writing down codes, asking coworkers to send credentials, etc.

Although multi-factor authentication is a huge improvement over to basic login methods, it does not offer 100% security. In fact, no technology does. With MFA quickly becoming the de-facto standard for all sign-ins, cybercriminals are constantly searching for new ways to either break through multi-factor authentication (MFA hacking) or find a way to circumvent it (MFA bypass).

The methods hackers use to get around multi-factor authentication range from manipulation and social pressure, to exploiting technical flaws like zero day vulnerablities or using compromised devices to spy on the sign-in process. You’ll find an overview of the most common MFA attacks below.

Social engineering attacks are intended to manipulate users into giving up sensitive information that can be used to take control of their account. This often takes the form of phishing mails that impersonate a legitimate service and ask the target to “verify” their personal data or link them to a fake login page.

To increase their chance of success, hackers create pressure by telling victims that inaction will have disastrous consequences. For example, phising emails may claim that “Your account is at risk!” and that “urgent action is required“.

By copying the official login page of a service, scammers hope to trick users into completing the MFA process on their behalf. This attack often begins with a phishing mail that links to a nearly indistinguishable copy of a familar website.

When a person enters their username and password, a script forwards the login information to the legitimate site and uses it reach the second stage of the login process. Once the site asks for a additional verification, the MFA prompt is copied and displayed on the fake site so the user can complete it.

After the user enters the necessary information, they are usually forwarded to another page citing some sort of technical issue. Meanwhile, the attacker uses the completed MFA prompt to sign into their account. Because the spoofed site acts as an intermediary between the account owner and the real site, this method is also known as a man-in-the-middle attack.

Another vulnerability commonly exploited in MFA attacks is the fact that many services use weaker forms of identity verification for account recovery than they do for sign-ins. In many cases, all you have to do to disable MFA and reset the account password is answer a security question or provide basic personal data. These can be easily acquired with a bit of research.

Account recovery cannot rely on a person having access to their normal method of multi-factor authentication. After all, people do lose their mobile phones. But that doesn’t change the fact that less strict checks make the recovery process a potential security risk. This is also true on the user side if one-time use recovery codes are improperly stored. Finally, recovery attacks can also take the form of fraudulent phone calls to tech support.

By hijacking an active session, attackers can bypass the login process entirely and trick a service into thinking they already cleared it. For web-based applications, this requires stealing the session cookie used to identify a specific account. This can be achieved if attackers have access to the device the user logs in from or can somehow intercept network traffic. Cookie harvesting can be difficult to spot as it a relatively unobtrusive process that does not require elevated privileges such as admin access.

Once criminals have a stolen cookie, they can continue the active session on another device. The risk and potential damage of attacks like these can be limited by enforcing session timeouts and MFA challenges for changes to account settings. This has already become the standard for services such as online banking.

Many MFA vulnerabilities can be mitigated through the right countermeasures: phishing filters, session time-outs, time limits after failed login attempts. But even if your organization follows all recommendations and best practices for multi-factor authentication, you can never rule out a successful attack on an account in your network. Aside from technical exploits, the human factor alone makes total security impossible.

As part of their security strategy, organizations must also plan for the worst case scenario: What happens if an attacker manages to bypass login security? Which systems and applications are at risk if they gain access to one of your accounts? To minimize the risk and damage of cyberattacks, modern approaches to cybersecurity such as zero trust and least privilege are based on granting each user the least amount of access needed for their job.

To enforce this policy, companies must match each user’s access rights to their business role. That means permissions must be added, updated and removed whenever a user joins, leaves or takes on additional responsibilities. Of course, these changes not only have to be logged for future review, but also synced to every relevant application in your IT infrastructure: Active Directory, Microsoft 365, your HR software and other business-critical applications.

If the prospect of implementing all these changes manually is making your head spin: Don’t worry! The good news is that identity and access management solutions like tenfold automate the entire process of updating accounts and permissions (also known as user lifecycle management). This allows your IT staff to focus on more important tasks while maintaining a big picture view of your access landscape. Thanks to central permission reporting that breaks down data from all connected systems, you’ll always know who in your organization has access to what.