2FA is over. Long live 3FA!

In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. The recent Uber breach is just one example, but we see many campaigns circumventing 2FA on various platforms.

For over a decade now, implementing 2FA/MFA has been considered the best-practice solution organizations must implement against account hijacking attacks, whether those were based on phishing, brute force, password theft, or any other fraudulent way of obtaining login credentials. And while industry experts warned of potential abuse of those mechanisms for years, little notice was taken. Most knew that attacks against 2FA were possible, but thought they were too complicated to execute and didn’t really happen in the real world.

In time, though, instances of successful attacks became more common. What changed to make that happen? In one word: motivation.

When 2FA was implemented by only a small number of organizations, attackers did not see a pressing need to develop techniques and skills to circumvent it. They were simply focused on the rest of the world—those that had not yet properly implemented 2FA. But in the last couple of years, we’ve seen a huge increase in adoption of 2FA, driving the motivation for attackers to build the technology to bypass 2FA. Furthermore, the increased move to cloud and SaaS applications, combined with single sign-on, has turned identity into the new perimeter, making the potential gain of account hijacking even higher than before.

It is important to note that while the industry frequently uses MFA and 2FA interchangeably, MFA is a general concept of multifactor authentication, that is, using more than one factor to authenticate a user. What most organizations have in place is 2FA — the minimal viable implementation of MFA, utilizing the existing username/password mechanism with an added second factor, such as an OTP (one time password), authentication app push approval, or SMS-based tokens (similar to OTPs).

The problem with this type of second factor is that it is not necessarily stronger than a password; it is only timelier. Passwords are a secret that provide decent protection against identity theft – if they remain secret. Attacks like phishing, brute force, or SQL injection on databases with passwords are all designed to do one thing: discover the password so that it can be used by the attacker. One-time passwords are similar: If the attacker knows the one-time password, they can use it to authenticate. The protection provided by it is therefore related to the time window during which it can be used: A normal password lives for weeks and months, but a one-time password is valid for seconds or minutes.

Similarly, an app push approval uses strong protocols to validate a one-time token, but an attacker using that validation in the right time window will still be able to take over the account. For some years, this seemed like a reasonable approach. Attackers would harvest passwords for a period of time, store them offline, and then use them at a later stage, making any potential token they had stolen obsolete.

But with time being the only limiting factor, as motivation grew, attackers developed the technology and the practices to carry out those attacks in near real-time, allowing them to hijack accounts much the way they did before 2FA was implemented.

The two most common techniques today for 2FA circumvention are Adversary in the Middle (AiTM) and MFA fatigue.

• AiTM is a technique used by attackers for doing phishing attacks via a proxy. Rather than harvesting passwords and trying to use them later, the attackers proxy the attempted login of the user, including the second authentication factor (whether it is an OTP or MFA push), and create a new session for the attacker, in real time, that is then used for future access. With MFA sessions being valid for 14-30 days in most cases, this allows the attacker a substantial amount of time to use the hijacked account. We have seen this in multiple campaigns, including setting up a new MFA authenticator app to maintain persistency beyond the MFA session validity duration. It is important to note that while this may seem more complicated, there are now at least three popular phishing kits (and a custom one) that automate this process for the attackers.
• MFA fatigue is a technique that can be used against MFA challenges via push notifications in your MFA authentication app. In this scenario, the attacker can first obtain the username/password using a traditional approach (phishing, theft of password database, and so on), before launching the MFA attack itself. The attacker then starts attempting to log in with the stolen credentials. Every time the attacker does so, the user gets a push notification on their app asking them to verify the authentication. For many users, this is seen as a glitch in the system, and they either approve it right away, or approve it at some point as they get tired of the notifications and pressing No every time.

What this means for our industry is that the efficacy of existing 2FA solutions is being nullified. It is safe to assume that almost all phishing attacks will soon be powered by these new frameworks for circumventing 2FA, and we will be back to where we were a few years ago, with only a username and password inefficiently trying to stand between attackers and our data and systems.

The solution is to embrace MFA more broadly, moving to three-factor authentication (3FA) by adding an additional factor, but this time one that cannot be used by the attacker to authenticate from a foreign device. This can be done by tying the user authentication to a specific device or hardware token.

Hardware tokens that support FIDO2 protocols guarantee a signature on the authentication of the device that is bound to the specific host used and the specific server being accessed, making its reuse by attackers impossible. But organizations do not have to go and purchase a dedicated hardware device for it. Similar implementation of FIDO2 (or a similar approach) can be done on the user’s devices directly, effectively binding the authentication to specific devices, making it impossible for an attacker to create a new session from a new device.

This capability is offered by the two largest identity providers, Microsoft 365 and Okta.

With Microsoft 365, Conditional Access (which is the main way to manage 2FA/MFA) can be configured to allow connections from devices enrolled in InTune (Microsoft’s MDM) only. If properly configured, this makes AiTM or MFA fatigue attacks redundant. Microsoft also offers integration with Microsoft Hello for secure FIDO2 connections (from Windows machines at this point).

Okta also offers similar capabilities through integration with 3rd party MDM solutions (as well as with hardware tokens).

There is, however, one caveat. Very few organizations have implemented these solutions to date, so they are still somewhat immature. We’ve been seeing organizations trying to implement those solutions, and they are encountering substantial overhead, user frustration, and lots of edge cases with no solution to date. Hopefully, as the industry increases the adoption of these 3FA solutions, the vendors will allocate the resources needed to perfect them, making them the default way to go and challenging attackers to come up with new techniques.

It is now clear that implementing third-factor hardware/device-based verification is the only way for organizations to protect themselves from phishing and other account takeover attacks, and therefore… 2FA is over. Long live 3FA!