In the first quarter of 2024, nearly half of all security incidents our team responded to involved multi-factor authentication (MFA) issues, according to the latest Cisco Talos report.

A quarter of these incidents were caused by users accepting fraudulent MFA push notifications originating from attackers, while 21% of incidents were due to improper MFA implementation.

The report revealed the most common MFA bypass attempts observed were MFA push attacks. In these scenarios, attackers who have obtained a user’s password bombard the user’s MFA-enabled device with push notifications, hoping the user will eventually accept one.

However, attackers have become more creative in their MFA bypass techniques, for example stealing authentication tokens from employees and replaying session tokens with completed MFA checks, allowing attackers to impersonate trusted users and move laterally across networks.

Attackers have also used social engineering tactics to convince IT departments to add new MFA-enabled devices controlled by the attackers.

The report noted instances where contractors were compromised, and their phone numbers changed to receive MFA codes on the attacker’s device.

Other techniques include gaining administrative privileges on compromised endpoints to deactivate MFA software and conducting insider attacks where compromised employees approve MFA push notifications sent by attackers.

Cisco Talos researchers noted as the commercialization of cybercrime continues to grow, with more attacks becoming available “as a service,” attention must be paid to phishing-as-a-service kits that include MFA bypass capabilities.

The Tycoon 2FA platform, for example applies the attacker-in-the-middle (AiTM) technique, where an attacker server hosts a phishing web page, intercepts victims’ inputs, and relays them to the legitimate service.

This tool now incorporates MFA prompts, capturing session cookies if users accept the request, allowing attackers to bypass MFA even if credentials have been changed.

Jasson Cassey, CEO of Beyond Identity, pointed to the Verizon DBIR 2024 report, which found credential theft and phishing are the top two entry points for bad actors in web applications.

“The only way to defend against credential theft and phishing attacks is the universal deployment of phishing-resistant MFA,” he said.

He added it’s a misconception that push notifications and challenge questions are more secure because neither requires communication through a mobile network, which exposes an additional threat vector of SIM swapping attacks.

“Both are susceptible to phishing, social engineering, and AiTM attacks,” he said. “As a shared secret, challenge questions are atrocious as a second-layer defense.”

Cassey said the best way to ensure that MFA is secure and effective is to configure phishing-resistant MFA by default for application access.

“Organizations should also ensure a smooth user experience with passwordless, single-device MFA experiences,” he added. “Mature organizations can extend phishing-resistant MFA coverage from web applications to desktop login for additional coverage.”

Zero-Trust, Employee Training

Patrick Tiquet, vice president of security and architecture at Keeper Security, said employee training and education on cybersecurity best practices are crucial for protecting an organization from evolving cyber threats.

“Employees are the first line of defense,” he explained. “Regular training sessions should emphasize the importance of vigilance when receiving unsolicited MFA prompts.”

Employees must also be trained to question unexpected notifications immediately and report any suspicious activity without delay.

Tiquet recommended simulated phishing attacks and push notification exercises to help employees recognize and respond to threats.

“Fostering a culture where employees feel comfortable reporting potential security issues without fear of reprimand is essential for timely threat detection and response,” he said.

Employing zero-trust architecture, where every request is verified regardless of its origin, and implementing the principle of least privilege further strengthens an organization’s defense against most cyberattacks.

Transitioning to a zero-trust security model and implementing the principle of least privilege are recognized as best practices.

“By assuming that every access attempt, regardless of its origin or context, could be malicious, organizations add layers of verification and authentication,” Tiquet explained.

This “never trust, always verify” approach ensures that every access request is thoroughly validated, reducing the likelihood of unauthorized access and minimizing the blast radius of potential breaches.

“Applying least privilege access principles further limits exposure and enhances overall security posture,” Tiquet said.