em360tech image

Despite the obvious benefits of two-factor authentication, multi-factor authentication (MFA) mechanisms are not immune to hacks. In fact, a whitepaper from KnowBe4 outlines over 12 ways to hack two-factor authentication.

The state of multi-factor authentication

More companies are now adopting MFA solutions in order to secure their data against hackers. Although MFA solutions have been available for decades, "there is now an ongoing, wide scale, rapid adoption of MFA in both corporate environments and by internet websites." Nevertheless, KnowBe4 highlights that many vendors and proponents have exaggerated MFA's ability to reduce security risk. Although MFA does reduce significant risk, it is not entirely "unhackable." In fact, the report insists that most of the attacks that could be successful against single-factor authentication can also MFA solutions. More often than not, a single MFA solution is "susceptible to multiple exploitation methods."

A multitude of two-factor authentication hacks

Overall, the whitepaper lists over a dozen ways to hack MFA solutions. In general, however, there are reportedly three ways to hack MFA solutions: social engineering, technical, and mixed. First, social engineering refers to the involved human element using the MFA solution inadvertently in a way that results in its bypass or misuse. Meanwhile, technical manipulation entails the methods of exploitation and manipulation that do not require the human user to make a mistake. Overall, however, the majority of hacking methods require a mixture of both human and technical vulnerabilities. In effect, these are attempts at "taking advantage of weaknesses between the steps of authentication." Hackers thus exploit identity, authentication secret storage, authentication, or authorisation. These attacks can also entail "malicious interruption, modification, or false representation of one or more of those steps or transitioning between those steps."

Defending against two-factor authentication hacks

In order to defend against two-factor authentication hacks, companies must recognise that there is no single solution. Indeed, "a particular type of MFA solution is susceptible to multiple hacking methods, and thus the attacks are not 1:1 only against a single type of MFA solution." Overall, it is crucial to note that MFA does not prevent phishing or social engineering from being successful. Nevertheless, the report insists that MFA is still effective and thus "everyone should use it when they can." However, MFA is not an "unbreakable" security solution. If a company is considering using MFA, it is vital that they also invest in security awareness training as part of their overall defence.