MFA Bypass - Techniques That Defeat Multi-Factor Auth

About 2 min read

MFA bypass is the collective term for attack techniques that circumvent multi-factor authentication (MFA) to achieve unauthorized access. MFA is a far stronger defense than a password alone, but overconfidence in the idea that "deploying MFA makes you safe" is dangerous. Attackers keep developing techniques that exploit weaknesses in MFA implementations and human psychology, and since 2022 large-scale breaches using MFA bypass have occurred one after another.

AiTM (Adversary-in-the-Middle) Attacks

An AiTM attack is a technique in which the attacker places a reverse proxy between the user and the legitimate site and relays the entire authentication process. The password and MFA code entered by the user are forwarded to the legitimate site in real time, and the session token issued after successful authentication is stolen.

Evilginx2 is an open-source tool that automates AiTM attacks, executing everything from generating phishing pages to extracting session tokens in a single stop. The attacker only needs to set the stolen token in their own browser to access the account as a session that has already passed MFA. It is a form of session hijacking, but it is more serious than conventional techniques in that it completely bypasses MFA.

MFA Fatigue Attacks - The 2022 Uber Case

An MFA fatigue attack (MFA Fatigue / MFA Bombing) is a social engineering technique that targets push-notification MFA. The attacker repeatedly attempts to log in with a stolen password, bombarding the victim's smartphone with a flood of push notifications. By persistently sending notifications late at night or in the early morning, the attacker waits for the victim to mistakenly tap "Approve."

In the September 2022 Uber breach, an 18-year-old attacker broke through an employee's MFA using this technique. After sending a flood of push notifications late at night, the attacker reportedly contacted the employee on WhatsApp posing as IT support, saying "the notifications won't stop unless you approve," and got the employee to approve. This incident brought the dangers of MFA fatigue attacks to the world's attention and prompted Microsoft and Okta to introduce Number Matching for push notifications. We explain this in detail in our article on MFA fatigue attacks.

SMS OTP Theft via SIM Swapping

SIM swapping is a technique in which the attacker impersonates the mobile carrier to transfer the victim's phone number to the attacker's SIM. Because the OTP (one-time password) sent via SMS arrives at the attacker's device, SMS-based MFA is completely nullified. Many high-value damage cases have been reported, such as the 2019 hijacking of Twitter CEO Jack Dorsey's account and the theft of customer assets from cryptocurrency exchanges.

Session Token Theft

If the session token (cookie) issued after passing MFA is stolen, there is no need to bypass MFA itself. Info-stealer malware extracts the session cookies stored in the browser and sends them to the attacker's C2 server. The stolen cookies are used in "pass-the-cookie" attacks, allowing the attacker to take over the victim's session as is. We explain countermeasures in detail in our article on defending against session token theft.

Countermeasures with Phishing-Resistant MFA

Phishing-resistant MFA is an authentication method that is resistant to all of the bypass techniques above. In FIDO2 / WebAuthn-based authentication, the private key never leaves the device, and the origin (the domain being connected to) is cryptographically verified at authentication time, so authentication requests routed through an AiTM proxy are automatically rejected.

"We have MFA, so we are safe" is outdated common sense. SMS OTP and push notifications can no longer be considered sufficient defenses. We compare each method in our article on two-factor authentication, and explain concrete defensive measures in our article on MFA fatigue attacks.

You can also find authentication security books on Amazon.