Hacking MFA

Passwords are the worst!

Passwords are the most common type of authentication, however they are also poorly efficient for security.

New password policies are published almost every year, and always come up with changing requirements: complexity, length, rotation, reuse, passphrase… We are compelled to remember hundreds of passwords, and efficient cloud-based password managers are very often not allowed.
Passwords are also costly as they bully IT support teams with endless password resets.
Furthermore, most of the attacks don’t even care about password complexity because they already have the full password available (black-market credential leakage exploiting reused passwords, phishing, keystroke logging, writing on a post note… ). Clipping levels already protect against basic password spraying attacks on authentication forms. Complexity only protects against bruteforce attacks against stolen hash files.

In the end, passwords are not secure.

Note: Yet another punchline: Hackers don’t break in, they log in! Refer to this excellent article.

Not all MFA are equal. And almost all of them are breakable. Let’s collate some efficient techniques!

Real-time phishing: Kindly ask for an OTP… or politely ask to accept a push notification
Real-time phishing: Send fake URL imitating the authentication page, and intercept the second factor
Channel-jacking: Take over the channel used to provide the second factor (SMS or email)
MFA fatigue (MFA bombing, MFA spamming)
SIM swap
Compromised or stolen end-user device (spyware such as keylogger, rogue application)
Abuse weak verification (false positives on fingerprints, use generative AI…)
Capture victim physical attributes (record voice, collect fingerprint…)
Use the password recovery procedure
Post authentication token stealing
Physical attack (coercion, with force, weapon…)

Below is a modelling of real-time phishing with an Adversary-in-the-Middle (AitM) attack.

Note: Based on original learning material from Government of Canada.