How Multi-factor Authentication (MFA) can be Breached


Multi-factor Authentication (MFA) is a must, and there is no doubt it is one, if not, the most important access security recommendations for businesses to implement as it provides a crucial layer to preventing a breach. However, it is not bullet-proof and unfortunately threat actors will always find their way around this layer of security.

How MFA can be compromised?

  1. Phishing – Attackers can use sophisticated phishing techniques to trick users into providing their MFA codes. For example, a user might be redirected to a fake login page where they enter their password and then MFA code, which the threat actor will capture in real time to gain access.
  2. Man-in-the-Middle (MitM) Phishing – Threat actors can use tools which act as a proxy between the user and legitimate service. The tool then intercepts both the password and the MFA token, allowing the threat actor to authenticate.
  3. Vishing –Voice Phishing, where the threat actor may call pretending to be from a legitimate organisation and will manipulate the recipient into revealing their MFA codes.
  4. Man-in-the-Browser (MitB) Attacks – Browser based Malware on the user’s device can intercept and manipulate web traffic, capturing MFA codes as they are entered or automatically submitting those codes to the threat actor.
  5. SIM Swap Attacks – Threat actors can trick or bribe telecom company employees into transferring a victim’s phone number to a SIM card controlled by a threat actor. This allows the threat actor to receive SMS-based MFA codes to gain access to known accounts.
  6. Credential Stuffing – In a small majority of cases, if MFA tokens are reused or predictable, the threat actor will exploit this by using stolen credentials from data breaches to attempt access and leverage weak MFA implementations.
  7. MFA Bombing – Threat actors can repeatedly send MFA requests to a user’s device, hoping that they will eventually accept one of the codes out of frustration or confusion.
  8. Exploitation of Weak MFA methods – SMS and Email based MFA are considered weak forms of MFA simply because SMA can be intercepted and email accounts can be compromised, thus giving threat actors access to MFA codes.
  9. Brute forcing MFA codes – If MFA is not set to lock out after multiple failed attempts, the threat actor will simply brute force the code.
  10. Token Theft – Threat actors can steal token session tokens or cookies from a compromised device to bypass MFA.
  11. Software Bugs and Vulnerabilities – Vulnerabilities in the MFA implementation or the application itself can be exploited by the threat actor to bypass MFA.
  12. Compromised MFA Providers – If the MFA provider is compromised although extremely rare, threat actors can gain access to MFA codes and authentication data.

 

Mitigation Strategies

Here are some ways to help protect against these various forms of attacks, but not limited to:

  • Security Awareness Training for users, so they are well educated in spotting suspicious emails and code requests, especially when the request is received at a time when the user is not attempting to access the service.
  • Where possible, use stronger MFA methods, such as app-based authenticators, biometric factors, or hardware tokens over SMS or email-based MFA. Although some services will only use the latter methods.
  • Conditional access policies to restrict the ways to login to applications such as Office 365, including the location of sign in attempts, session time limits etc.
  • Only allow logins from trusted devices, which goes hand in hand with the above.
  • As always, ensure systems and MFA solutions are kept updated to protect against vulnerabilities.
  • Deploy endpoint protection, network monitoring and threat intelligence to monitor unusual activity and patterns for MFA requests and to bolster overall security.

 

To summarise

Whilst MFA is one of the best and most effective ways to help enhance your security posture, understanding the various compromise methods and implementing further layers of defences all help to reduce these types of attacks.

 


Hidden Risks You Might Be Ignoring

21 May 2025

In this month’s IT Bulletin, we’re shedding light on the cybersecurity threats that often go unnoticed — but can have serious consequences for businesses of any size.

How to Simplify Configuration for your Engineering Software

20 May 2025

In this blog, we’ll look at some common challenges teams face when configuring engineering software and share practical tips on how to simplify the process. We’ll also explain how Symetri’s solutions can help you optimise your software setup, reduce errors, and keep your projects running smoothly.

4 ways to optimise your construction projects in the cloud

19 May 2025

Managing a growing number of Autodesk BIM 360 or Autodesk Construction Cloud (ACC) projects can quickly become overwhelming - especially when it comes to project setup, user management, and data backups. With the right tools, you can eliminate manual inefficiencies, boost productivity, and focus on more strategic initiatives. If your team works with BIM 360 or ACC, this blog focuses on four powerful ways Naviate Cloud Manager can streamline your operations.