Multifactor authentication (MFA) has long been a reliable method for safeguarding online accounts, adding an extra layer of security on top of passwords. However, a growing number of cybercriminals are finding ways to bypass this security, making MFA less effective than it once was. In this article, we explore the rise of phishing attacks that defeat MFA, why it’s happening, and how to protect your accounts from such attacks.

The Evolution of Phishing and MFA

At its core, MFA requires users to provide two or more verification factors to access their accounts. This usually means something they know (like a password) combined with something they have (like a one-time passcode sent via SMS or generated by an app). The idea is simple: even if an attacker steals your password, they can’t access your account without that second factor.

But phishing, a form of cyberattack that tricks users into revealing sensitive information, has become increasingly sophisticated. As detailed by Cisco Talos, a new wave of phishing tools is designed to circumvent common multi-factor authentication (MFA) methods. These tools, often marketed under names like Tycoon 2fa and Evilproxy, allow even non-technical criminals to carry out “adversary-in-the-middle” attacks, a type of phishing attack where the attacker sits between the victim and the service they are trying to log into.

The “Adversary-in-the-Middle” Attack

In this attack, cybercriminals utilise phishing-as-a-service toolkits to create fake login pages that closely resemble legitimate sites. Here’s how it works:

1. The Bait: The victim receives a message claiming their account has been compromised and urgently needs to be locked down. The message includes a link that appears to direct the victim to the real login page, but the URL is slightly altered.
2. The Fake Login: When the victim clicks the link, they are taken to the fake login page hosted on the attacker’s proxy server. This page replicates the actual site, including its appearance and login form design.
3. Credential Theft: The victim enters their username and password, unknowingly giving the attacker their login details.
4. MFA Intercepted: The attacker’s proxy server then sends the credentials to the real site (e.g., Google), and the service responds with an MFA request (like a text message or push notification). The victim, believing they are still on the legitimate login page, enters the MFA code, which is then forwarded to the attacker.

At this point, the attacker can access the victim’s account, even though MFA was supposed to prevent unauthorised access.

The Problem with MFA-Based on Codes or Push Notifications

An MFA that relies on one-time passcodes (OTPS) or push notifications is vulnerable to these types of phishing attacks because these second factors are just as easy for attackers to steal as passwords. A simple one-time password (OTP) or a click on a push notification is all the attacker needs to complete the login process.

The ease of setting up phishing tools and the growing number of criminals using them means that even non-technical individuals can create realistic-looking login pages and deploy these attacks. These attacks are not only increasing in number but also in sophistication, making them more difficult for the average user to identify.

The Role of WebAuthn in Enhancing Security

While traditional forms of MFA are being bypassed, there is hope in the form of WebAuthn, a more secure form of MFA. WebAuthn-based MFA uses cryptographic authentication that binds the user’s credentials to the device and the URL, offering two major advantages:

1. URL Binding: Credentials are tied to the exact URL they are used to authenticate. If a victim tries to use their WebAuthn credential on a fake site, the login attempt will fail.
2. Device Binding: The authentication process must take place on or near the device being used. This prevents attackers from using stolen credentials on their own devices.

For example, WebAuthn is commonly used with passkeys, which are stored on a user’s phone or security device, such as a YubiKey. Unlike OTPs or push notifications, WebAuthn credentials cannot be phished because a middleman cannot intercept them.

Real-World Impact of MFA Vulnerabilities

The effectiveness of MFA based on codes and push notifications is declining as phishing tools become more sophisticated. A striking example of this came in 2022, when one group of attackers used these techniques to steal more than 10,000 credentials across 137 organisations. One of the major breaches was the compromise of the authentication provider Twilio. However, some companies, like Cloudflare, were able to avoid being breached thanks to their use of WebAuthn-based MFA.

WebAuthn’s ability to prevent adversary-in-the-middle attacks is why many security experts recommend switching to it. WebAuthn credentials, especially when paired with devices such as phones or security keys, provide significantly better protection than traditional multi-factor authentication (MFA) methods.

How to Protect Your Accounts

So, what can you do to protect yourself from these evolving threats?

1. Switch to WebAuthn: If possible, enable WebAuthn or a similar hardware-based multi-factor authentication (MFA) method. This will protect you from adversary-in-the-middle attacks and ensure your MFA cannot be phished.
2. Use a Security Key: Consider using a physical security key, such as a Yubikey, that supports WebAuthn. These keys provide the most secure form of authentication and are immune to phishing.
3. Educate Yourself and Others: Be cautious of phishing attempts. If you receive a suspicious message, double-check the URL before clicking any links. Always navigate directly to the website instead of relying on links in emails or texts.
4. Update MFA Settings: If your current MFA method relies on SMS or push notifications, consider switching to a more secure option like an authenticator app or hardware token.
5. Stay Informed: Keep up with the latest security practices and make sure your accounts are as protected as possible.

Conclusion

While MFA has been a valuable security tool for many years, its effectiveness is being compromised by increasingly sophisticated phishing attacks. To stay protected, it’s crucial to move beyond outdated MFA methods like SMS and push notifications and switch to more secure alternatives like WebAuthn. By staying aware of the latest threats and upgrading your authentication methods, you can safeguard your accounts against these evolving attacks.