Big Tech is mandating MFA. Hackers have workarounds

Illustration: Si Weon Kim

Multi-factor authentication offers users far more protection than a password alone. But experts warn it’s no panacea against hackers.

The security industry fawns over multi-factor authentication, an account safeguard that prompts users for more than just a password. It requires people to enter one-time codes sent to their devices or to scan their fingerprints, for example, after they submit their passwords.

Google plans to enable the feature for more than 150 million users by the end of the year, and Facebook’s parent company Meta said yesterday it would start requiring “highly targeted” people to enroll in MFA. The U.S. Cybersecurity and Infrastructure Security Agency has pushed for wider adoption of MFA via everything from fact sheets to holiday-themed videos.

“I’ve said it before, and I’ll say it again: Enabling multi-factor authentication makes you 99% less likely to get hacked,” CISA director Jen Easterly tweeted last month.

But calls to embrace MFA should come with caveats, experts say. Recent cyberattacks targeting cryptocurrency investors and YouTube creators have demonstrated how accounts that rely on MFA can be compromised despite their increased security. And hackers have already started to change tactics as more and more users lock down their logins.

“The messaging is wrong,” said Roger Grimes, data-driven defense evangelist at cybersecurity training company KnowBe4 and author of “Hacking Multifactor Authentication.” “The correct messaging is, ‘You should use MFA because it significantly reduces some types of attacks.’ That’s the most you can say.”

Grimes told README most MFA solutions can be hacked by exploiting unpatched software or social engineering, among other methods. Even focusing on attacks that could be prevented by implementing MFA, he said, the oft-cited 99 percent figure is an overstatement. Many services limit users to just two factors — which is why MFA if often referred to as two-factor authentication or 2FA — but some allow for more.

The most popular implementation of MFA relies on one-time passwords sent via SMS to the account holder’s phone. This is also perhaps the easiest form of MFA to bypass: Attackers can use SIM-swapping attacks and port-out fraud to have SMS messages sent to a device they control. The Federal Communications Commission said in September that it and the Federal Trade Commission have received hundreds of complaints about those kinds of attacks.

The FCC cited a 2020 study in which Princeton University researchers set up prepaid wireless accounts with five U.S. carriers — Verizon, AT&T, T-Mobile, US Mobile, and Tracfone. Researchers were able to compromise 39 of the 50 prepaid accounts because they didn’t properly defend against SIM-swap attacks.

Hackers can also subvert SMS-based authentication through phishing attacks that send victims to a malicious website to harvest one-time codes, as some Coinbase users discovered in October, when attackers gained access to MFA-secured accounts on the cryptocurrency exchange by using a fake website and a dashboard that solicited one-time passwords and other information from victims.

Other forms of MFA, such as fingerprint scanning or facial recognition software, are more difficult to compromise without physical access to a device. Still, there are several ways to fool a fingerprint scanner, and researchers have also discovered techniques to get around facial recognition-based authentication methods.

But security concerns don’t apply equally to every form of MFA.

“As an industry, often we like to talk about MFA as an all-inclusive bucket that is all the same in terms of implementation, level of security, and how that can keep people out of your account and keep your account safe online,” said Karen Larson, integration program senior director at authentication technology company Yubico. “The problem with those blanket statements is that not all MFA is the same.”

1_AapT_PIFU7554GPHMFEyhAGoogle plans to enable multi-factor authentication for 150 million accounts by the end of 2021. Noah_Loverbear/Wikimedia Commons

Stealing from the cookie jar

Attackers don’t have to compromise authentication methods to bypass MFA, Grimes said. They can instead exploit flaws in the process that takes place after a successful login attempt.

Google’s Threat Analysis Group revealed in October that popular YouTube creators had been targeted by “pass-the-cookie” attacks capable of compromising accounts secured by MFA. These efforts typically combine phishing attacks with malware to collect session cookies or access tokens that stick with a user throughout a browsing session. These tools trail along with a user, preventing the need to constantly log back in to a given application or website. Many of these cookies and tokens are set to expire after a certain amount of time, but until that limit has been reached, most provide unfettered access to the corresponding account. Both access tokens and session cookies can be stolen — regardless of whether an account is protected by MFA.

Larson told README that the protection of session cookies and access tokens is “a little all over the place.”

“Security around that piece is not amazing right now,” she said. “I do know from talking with our partners that there is a lot of thought and progress on how to make that more secure, and then also how to standardize the security around those access tokens to make it harder for people to access.”

Evolving attacker focus

People who use MFA might benefit from so many other accounts being easier to hack. While not foolproof, enabling MFA can create enough extra work for would-be attackers that they simply move on to softer targets.

But as more users add MFA to their accounts, experts say hackers have adapted.

“While the [pass-the-cookie] technique has been around for decades,” Google security engineer Ashley Shen said in October, “its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics.”

Grimes agreed. “I think it’s decreasing efficiency over time for MFA,” he said. “It’s already not that great at stopping stuff — it’s going to be less so in the future.”

Still, MFA makes it more difficult for low-effort attacks to succeed. That’s why tech giants like Google and Facebook are forcing many users to enable it.

They may face an uphill battle: Few people have adopted MFA. Twitter said in a July transparency report that just 2.3% of its users have enabled the feature, and most of those rely on SMS-based codes. Despite Google’s push to add MFA for 150 million users by the end of the year, many accounts will rely solely on passwords for years to come.

1_s_mqqBCpAcpA8RvU6N2dSw

Rows of YubiKeys, a form of hardware-based authentication, are pictured. Yubico/Flickr

Reason to hope

Experts widely agree that convincing people to use even a less-secure type of MFA such as SMS-based passcodes can be seen as a small victory. Larson said that Yubico typically sees its customers go from an SMS-based solution, which requires little overhead, to a more secure form of MFA like a physical token. This is especially true of services that are pushed to implement better security practices by their customers.

“What we’re seeing that’s heartening for me is more and more customers wanting better security and being concerned about their accounts and the vulnerability they face just having their information out there online,” Larson said.

Not all forms of MFA are created equal, and it’s difficult to make broad claims about the protections afforded by the feature. But there is near universal agreement that people benefit from using it.

“You should get MFA,” said KnowBe4’s Grimes. “MFA is a good thing — it significantly reduces some types of attacks.”

It’s also important to push vendors to develop less-phishable forms of MFA, Grimes added. These can include push-based authentication methods that require someone to confirm a login attempt from a trusted device — to make it clearer that someone is logging in at that exact moment — or ensuring physical tokens use proven security specifications like FIDO2.

“There are small changes you can make to MFA to make it more secure,” he said. “If you’re going to go through the hard work of going to MFA, we should try to get people to the least hackable, perishable forms. Because it’s a big deal to go from passwords to MFA.”