Here’s a list of common credential types with an assessment of vulnerabilities (excluding coercion, which is possible with all factors). MFA bypass attacks are so rare that we don’t have good statistics on them – but when they do happen, they devolve to one of those two cases. Unfortunately, both have been in the news lately in some high-profile attacks (as well as in our caseloads). Unfortunately, virtually all authenticators in common use today – phones, email, one-time passcode (OTP) tokens, and push notifications – are vulnerable to relatively low-cost attacks involving takeover of the communication channel used for the authenticator ( Channel-Jacking) or intercept-and-replay of authentication messages using a machine-in-the-middle ( Real-Time Phishing).
Costs vary massively by attack type, and attacks which preserve anonymity and don’t require proximity to the target are much easier to achieve. That doesn’t make all authenticators equally vulnerable. There is a broad range of mechanisms to break authenticators, from simple guessing to coercion. This was a specific and targeted attack with direct human involvement. Then the attackers changed the password again and removed the app from the account. The target initially used their Authenticator app to recover their password. But MFA attacks do exist, and in this blog we’ll confront them. Until MFA is more broadly adopted, there is little reason for attackers to evolve. When we evaluate all the tokens issued with MFA claims, we see that less than 10% of users use MFA per month in our enterprise accounts (and that includes on premises and third party MFA). Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.Ĭompared to password attacks, attacks which target non-password authenticators are extremely rare. Let’s not get crazy - Multi-factor Authentication (MFA) is the least you can do if you are at all serious about protecting your accounts. In my last blog I explained how your pa$$word doesn’t matter - but multi-factor authentication (MFA) does! Several folks commented that “MFA isn’t a panacea.” That’s true in targeted attacks when attackers are willing to invest enough to break MFA, and there’s no easier way. Despite protecting the account with mandatory two-step verification using SMS and the Authenticator app, attackers had broken into the account and changed the password. A few days ago, our team helped someone who had been a target of account takeover (ATO).
0 kommentar(er)
