Can MFA be phished? How to avoid getting scammed
Although multi-factor authentication (MFA) is a powerful security measure, it's not immune to phishing attacks. Here's how to implement MFA to mitigate this risk.
Published December 5, 2022The unpleasant genius of phishing attacks is that almost anything is phishable. Most phishing attacks are an attempt to steal a user’s credentials – a username and password – which, as everyone in cybersecurity knows, is relatively easy to do. But can MFA be phished?
For years now, we’ve known that the only protection against credential compromise is to combine passwords (the first factor of authentication) with an extra layer of verification (a second factor), also known as two-factor authentication (2FA) or multi-factor authentication (MFA). In theory, all MFA is phishing-resistant MFA and should stop phishing attacks.
Unfortunately, the adage that anything can be phished also applies to some types of MFA. This leaves defenders with an obvious question: does MFA work well enough to reliably defend against phishing attacks?
The short answer is yes. Even an imperfect MFA is better than no MFA and will stop most attacks. Using MFA always raises the security bar.
However, as this article lays out, MFA comes in many forms. And some of these are more susceptible to MFA bypass attacks than others. The job of defenders, then, is to understand which types of MFA are more resistant to phishing, and to apply these methods to prevent unauthorized access.
Attackers can find their way into an organization in several ways, but none is as simple and cheap as sending a phishing email. Phishing is a numbers game. According to the 2022 Verizon Data Breach Investigations Report (DBIR), the number of employees clicking on phishing emails remains static at around 2.9% over the last decade.
This sounds like a small number. But even if only a fraction of those end with a credential compromise (not all phishing attacks are about stealing credentials after all) even a tiny number of successes are enough to give attackers what they seek.
The success of this tactic is all around us. The DBIR reports that a whopping 63% of breaches involved phishing attacks. As an example, this is equivalent to hundreds of annual breaches in a single company’s analysis, many rated severe.
But why are so many organizations vulnerable to phishing years after the cybersecurity community identified the problem as a weakness? Very simply because passwords (the first factor) were never designed to be used securely on the scale they are today. And when attackers steal passwords, detecting the theft is incredibly difficult, even with expensive layers of security in place. What’s more, some MFA can be phished by sophisticated attackers, who can employ many different tactics to bypass some MFA methods (just look at the recent LastPass data breach).
As we mention above, passwords (and PINs) count as the first factor of authentication: something the user knows. To this, MFA adds a second factor: something the user has, generates, or is sent. One could keep adding factors to tighten security even more, of course, but the extra challenges would increase user frustration in return for a negligible security benefit.
How much extra security comes from adding a second factor? The answer depends on which factor is being used. As the number of MFA technologies has increased over time, confusion has grown about their comparative merits.
The main examples are:
A unique SMS code sent to a mobile device.
A unique code generated via a mobile app.
A push notification sent to a mobile device.
A physical token in the user’s possession.
Recently, “passwordless” authentication is also gaining in popularity. This authentication method does away with passwords as the first factor completely, and relies instead on a combination of factors such as: a user-generated code, a digital credential securely embedded in a smartphone, or a biometric or fingerprint verification. Strictly speaking, what exactly counts as passwordless is debatable. What’s more, these methods still require stored information that can represent a liability.
Most importantly, some of the above MFA methods can be phished more easily than others. Some are potentially vulnerable to a determined attacker, who can:
Intercept SMS codes, or hijack mobile accounts themselves via SIM swapping attacks.
Steal app codes using man-in-the-middle attacks.
Steal or find a physical token or smartphone.
It’s important to note here that the level of vulnerability is not the same. MFA methods that rely on SMS are notoriously vulnerable to even the most novice threat actors, while stealing app codes is much more of a challenge. And getting a hold of the physical token or smartphone, of course, requires sheer luck or extremely targeted coordination.
Obviously, some of these compromises are easier than others. For one, stealing a token would be impossible for a remote attacker. But the vulnerabilities above highlight the need for phishing-resistant MFA, which particularly interests organizations looking to build security around zero trust.
A key weakness of most MFA technologies is the user’s involvement in the authentication process. Users often receive a code that they then type in to complete authentication. Then, attackers can either intercept this code or trick it out of the user using social engineering.
While educating your users about recognizing and avoiding phishing attacks can only help, it’s not enough. Here are two ways to ensure that your MFA is phishing resistant:
Hardware keys are particularly resistant to phishing attacks. FIDO keys offer important advantages to resist phishing since an attacker would essentially have to steal or stumble upon the physical key to bypass MFA. Based on the open industry FIDO standard, these phishing-resistant keys support a range of authentication protocols including OATH, HOTPFIDO U2F, and FIDO2 passwordless WebAuthn/Passkeys.
The user simply presents the key, such as a YubiKey or Token2, via USB or Bluetooth and is asked to tap it to confirm authentication. Let’s take YubiKey’s phishing-resistant keys, for example: behind the scenes, the authentication system confirms that the unique PKI cryptographic key embedded in the YubiKey is the one with which it set up a relationship during enrollment. No other key can be used for that login, which proves the user has the correct key in their possession.
Of course, sometimes hardware keys aren’t the best fit for an organization or user group. Other MFA methods, like authentication apps or MFA Push apps, may be a better option for several reasons.
But MFA methods based on receiving notifications can interrupt users as much as several times each day. As user frustration rises, this can create vulnerabilities to an MFA fatigue attack. This type of attack happens when an attacker has gained access to a user’s valid credentials (through phishing or otherwise). The attacker then gets an authentic user to accept an MFA request, although they’re not trying to log in. The risk of this attack is highest when users get so many MFA requests throughout the day that they accidentally or absent-mindedly accept them, even when they aren’t trying to log in.
Although these approaches are less inherently resistant to phishing than hardware keys, combining these MFA methods with risk-based contextual controls minimizes the risk of compromise. A good example of this is the ability to limit push notifications used in MFA fatigue attacks to certain times of the day or geolocations. This granularity around how and when to prompt for MFA limits the opportunity for an MFA fatigue attack to target an unwary user.
So, can MFA be phished? Yes, but:
Any MFA is better than no MFA, and
Not all MFA methods are equal.
Generally speaking, one of the biggest barriers to MFA adoption and success is the impact this extra layer of authentication has on productivity. Hardware keys certainly help here by allowing users to simply tap the key to authenticate. But most organizations will want to build their MFA implementation around a mixture of approaches, each with distinct advantages depending on the user and risk context.
There’s no such thing as one-size-fits-all MFA. That’s why UserLock gives IT admins the flexibility to choose between several MFA methods, including hardware keys, and to combine those methods with granularity on how, when, and if to prompt for MFA, adding extra security against phishing.
See for yourself how UserLock MFA can protect your organization against phishing. Start your 30-day free trial today.