What Is MFA Bypass and How to Prevent It

As developers integrate more advanced methods to authenticate users, cybercriminals implement new strategies to overcome those security measures. These include exploiting multi-factor authentication (MFA), which requires users to verify login attempts through two or more methods, such as with a one-time password or fingerprint scan. 

While MFA mitigates many of the security issues involved with single-factor authentication, there are multiple techniques cybercriminals use to bypass it. That said, comprehensive security measures, alongside developer and user education, can protect against these methods and reinforce the effectiveness of MFA.

What is MFA bypass?

MFA bypass is a form of cyberattack that overcomes multiple authentication methods to access an account. Although MFA helps protect accounts with compromised passwords, it does have gaps that can be exploited. 

Cybercriminals use MFA bypass attacks to target these weaknesses through phishing, malware, session hijacking, and social engineering techniques. Most techniques to circumvent MFA involve tricking users into accepting a second authentication request. Cybercriminals also implement strategies that exploit real user authentications or give them access to a user’s secondary verification method. 

Regardless of the workarounds attackers use, MFA bypass attacks are an evolving threat that requires innovative defenses from developers.

6 MFA bypass techniques hackers use

Effective MFA bypass strategies target any available vulnerability in a login system, from human behavior to security weaknesses within the application. Understanding common MFA bypass techniques enables you to protect your application and educate users about potential threat actors.

1. MFA fatigue

MFA fatigue attacks, also known as prompt bombing, involve harassing users with repeated authentication notifications. Once an attacker secures an end user’s credentials, they can repeatedly trigger authentication requests to the user’s secondary authentication method. Attackers use the high volume of push notifications to wear down the user until they confirm the authentication request. 

Users may assume that an alarming amount of MFA push notifications is the result of a glitch or malfunction, not realizing that a cybercriminal has gained access to their login information. Victims of fatigue attacks may also be so overwhelmed by notifications that they’re willing to do anything to stop them, especially if the deluge of calls or texts makes their phone more difficult to use. 

This can result in the acceptance of a fraudulent authentication request, giving the cybercriminals full access to their account.

2. Session hijacking

In session hijacking, attackers steal cookies that store data from a legitimate user authentication session and exploit those cookies to access an account. Because cookies store authentication data, attackers using session hijacking can anonymously take over an active session without encountering an MFA checkpoint. 

While authentication cookies are only valid for a limited timeframe, experienced cybercriminals leverage this opportunity window to bypass MFA and exploit a real login.

There are multiple techniques cybercriminals can use to steal the cookies they need for session hijacking. These can include implementing: 

• Malware

• Packet sniffing

• Proxy servers that mirror a real website

3. Man-in-the-middle

Man-in-the-middle attacks are a type of session hacking in which cybercriminals direct users to a proxy server, intercepting their login credentials and session cookies. Like other session hijacking methods, man-in-the-middle attacks gain access to an account by taking over the account after a legitimate login from the end user. 

The proxy server allows the attacker to steal session information and transfer cookies to their own browser, successfully circumventing the MFA process.

Man-in-the-middle attacks typically start with a phishing email or text that tricks users into clicking a link to a proxy server. The proxy server simultaneously gives users access to the target site and impersonates it. Only a minor change in the URL differentiates the man-in-the-middle site from the real one. 

4. Social engineering

The MFA process often involves sending a one-time password to the end user’s email or phone and prompting them to enter it. However, cybercriminals can use social engineering to compel users into sharing that code, giving them access to the account.

To gain the trust of their victims, cybercriminals may pose as friends, family members, financial institutions, or tech support professionals. 

Attackers can also send unrelated emails to the target as a way of gathering sensitive information, then contact service providers directly pretending to be a user who’s been locked out of their account.

5. SIM swapping

Calls and texts are common secondary authentication methods, causing attackers to target the phone numbers of their victims. With SIM swapping, cybercriminals persuade a user’s mobile carrier to move the user’s phone number to the attacker’s device. 

Typically, they’ll call the mobile carrier while impersonating the end user and claim that they want to transfer the number to a new phone or SIM card.

Because mobile carriers often seek some form of identity verification before assigning an existing phone number to a new SIM card, cybercriminals often pair SIM swapping with phishing or other forms of social engineering. 

Once the attacker has successfully posed as the end user and taken over their phone number, they can approve all authentication requests from their own device and lock the user out of the account.

6. Brute force attacks

Attackers can evade MFA by engaging in brute force attacks – attempting various password combinations until they achieve a successful match. The effectiveness of these attacks depends on using simple password combinations as an authentication factor, like a temporary 4-digit PIN, which is less difficult to decipher than a complex alphanumeric combination.

A successful brute force attack compromises an authentication factor, bringing attackers closer to account takeover.

Preventing and mitigating MFA bypass attacks

Although MFA does have certain security gaps, it ultimately provides another layer of protection for your users when their first authentication factor is compromised. You can also mitigate potential security issues and prevent broken authentication by implementing safeguards against common MFA bypass methods. 

If your application uses MFA, these strategies can help protect your users and decrease the severity of bypass attacks:

• Implement biometric authentication: Face scans and fingerprints are typically more difficult for cybercriminals to replicate, making biometrics a highly secure additional authentication method. 

• Institute strong password policies: MFA bypass attacks often focus on accounts that already have stolen passwords, with compromised passwords causing over 82% of data breaches in 2022. By enforcing strong password policies, you can reduce the likelihood of your users becoming a target. 

• Adopt passwordless authentication: Keeping passwords as the first authentication factor greatly weakens the integrity of the overall MFA process. Passwordless MFA (where both factors are based on possession or inherence) are a stronger starting point for your MFA implementation.

• Restrict login attempts: Limiting how many push notifications your application can trigger allows you to thwart MFA fatigue attacks. By automatically locking accounts that send a suspicious number of MFA prompts in a short period of time, you can protect your users from overwhelming push notifications and stop compromises in progress. 

• Use secure authentication methods: Incorporating phishing-resistant processes, such as FIDO2 authentication, helps protect against social engineering attacks.

• Implement fraud detection controls: Monitoring user signals and account activity with fraud detection and step-up authentication helps you determine when attackers are targeting your users. This allows you to quickly respond to threats or mitigate their impact when account compromises do occur.

• Conduct regular security testing: Routinely assess your MFA protocols, including the security of one-time codes and MFA recovery methods.

Secure your multi-factor authentication with Descope

For accounts with compromised passwords, MFA is a strong line of defense. By using security best practices and controls that anticipate common MFA workarounds, you can seamlessly authenticate real users and keep cybercriminals at bay.

Descope helps developers easily add MFA to their authentication flows with drag-and-drop workflows, SDKs, and APIs. Our platform also enables apps to identify risky user signals and add risk-based authentication or step-up authentication to existing user journeys.

Sign up for Descope to remove the complexity from your MFA implementation and gain the ability to “add the right amount of friction” to reduce the likelihood and impact of MFA bypass.