Why I’m So Hard on Most MFA

I have to be the world’s most vocal critic of most multifactor authentication (MFA). I know MFA doesn’t solve 99% of the cybersecurity world’s problems (despite vendors and leaders saying it). Most MFA is far too easy to hack and bypass. Most of the stuff I’m forced to use is just barely this side of security theater. Nearly all of it overhyped and overpromised (there are notable exceptions, like FIDO-enabled Yubikeys).

I like many MFA solutions (https://www.dhirubhai.net/pulse/any-mfa-vs-good-roger-grimes/), just not most of the most popular solutions that most people use…at least not yet.

My biggest problem is that most MFA solutions is that they can be easily phished and bypassed, as easily (or nearly as easily) as a password, which was the major reason they were supposed to replace. Phishing and bypassing can be done a bunch of different ways. The most common way is known as Man-in-the-Middle attacks (although Microsoft calls them Adversary in the Middle attacks, I guess to be more gender neutral).

With most MitM attacks, an attacker sends a potential victim a phishing message (usually via email) that incentivizes the potential victim to click on a rogue link that the victim thinks is taking them to a real, legitimate site or service. Instead, that rogue URL link takes the user to a MitM site/service that then redirects all requests from the user to the real, intended site/service. The MitM site/service can now capture all the information sent between the user and the real site/service (graphic summary shown below).

The hacker can then reuse the victim’s MFA authentication code, if they provide one, or simply take or copy the resulting access control token that allows the user to access the protected web site.

MitM attacks are easy peasy. Most phishing kits and password-stealing malware programs now automate this type of MFA theft. You don’t have to be an uber hacker or spend weeks setting up a fake web site. You spend a few dollars and the software does it for you.

Here’s a few recent news stories talking about this exact attack:

·????????https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/

·????????https://www.wired.com/story/hack-binance-cryptocurrency-exchange/

·????????https://www.bleepingcomputer.com/news/security/new-evilproxy-service-lets-all-hackers-use-advanced-phishing-tactics/

·????????https://www.scmagazineuk.com/2fa-stealing-android-malware-gives-enterprises-cause-concern/article/1681863

·????????https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born

There are plenty of other ways to easily phish different types of MFA, such as push-based MFA bombing (https://www.dhirubhai.net/pulse/you-use-push-based-mfa-did-do-roger-grimes).

My bare minimum bar for any MFA solution is that it shouldn’t be EASILY phishable. And to be clear, all MFA, even the best stuff, can be phished and hacked (https://www.dhirubhai.net/pulse/phishing-resistant-mfa-does-mean-un-phishable-roger-grimes). I’m just saying that if you pick an MFA solution it shouldn’t be EASILY phishable using the most common types of attacks (e.g., MitM attacks and push-based attacks). I’m really not asking a lot.

I’m asking for MFA solutions to be far more secure than the passwords they are replacing, because otherwise why go through all the effort and expense?