What’s Wrong with MFA

This is the second part of my Back-to-Basics MFA mini-series.

Having spent last week’s article telling you how great Multi-factor Authentication is and how you and everyone in your organisation needs to use it for every service that offers it, today we are going to look at one of the common ways hackers exploit MFA.

The Hackers and MFA First

By far the most common MFA hack the threat actors exploit is called “MFA Fatigue Attack”. It is a very simple social engineering attack that can be automated easily by the threat actors – it annoys your users so much that they just open the authenticator app and let the threat actors in for a quiet life. The attack depends on the hackers having a valid set of compromised credentials, often gained through other social engineering attacks and deceptions. With these compromised credentials the automated hacking tools will repeatedly try and gain access to the vulnerable account, triggering an MFA response on the user’s authenticator app. At first the user may just ignore the request, but when the false flag request is made again and again at inconvenient times, sometimes backed up with an “explanation from the IT department” – emailed by the hackers – a user may well let their guard down and allow the threat actors access by responding positively to one of these rogue authenticator requests.

When you read this explanation, I am sure you are thinking “No-one would do that” – well they do, ask Uber. (Gatlan. 2022)

One more thing – remember for you to get an MFA alert the hackers must have your credentials, which means your password is compromised. Take action and get the password changed.

Your Users, the Microsoft Authenticator App and MFA

The obvious answer to this issue is team training so your users are aware of this and many other regularly used social engineering and phishing attacks. However, even Microsoft has recognised that this is not always 100% successful, as from time to time users make mistakes – this does not make them the “weakest link” in your cyber security. Mistakes happen, manage them. What Microsoft has done is to add another layer to their Authenticator app that blocks suspicious alerts by default – stopping the alerts even showing on the user’s device. This includes MFA fatigue attacks. (Toulas. 2023)

…however there is one more thing to remember!

Whatever is put in place today to protect us from the threat actors will be slowly eroded as the hackers work out ways around the mitigation or develop new attacks. So you still need the cyber security awareness training!


Clive Catton MSc (Cyber Security) – 
by-line and other articles

References

Gatlan, S. (2022, September 20). Uber links breach to lapsus$ Group, blames contractor for Hack. BleepingComputer. https://www.bleepingcomputer.com/news/security/uber-links-breach-to-lapsus-group-blames-contractor-for-hack/

 Toulas, B. (2023, November 7). Microsoft authenticator now blocks suspicious MFA alerts by default. BleepingComputer. https://www.bleepingcomputer.com/news/security/microsoft-authenticator-now-blocks-suspicious-mfa-alerts-by-default/

Further Reading

Back to Basics – MFA (pt.1)

Photo by Andrea Piacquadio