This is the second blog in a two-part series about Multi-Factor Authentication (MFA) security. In the first blog, we defined MFA and outlined various methods attackers use to bypass MFA. This blog will focus on why adversary-in-the-middle techniques are growing and give organizations actionable ways to prevent MFA bypass.

Why adversary-in-the-middle techniques are growing

As organizations implement MFA universally, attackers are forced to develop methods that exploit implementation gaps or human behavior rather than cracking authentication protocols directly.

With the shift to remote working, this expanded the attack surfaces as organizations rushed to implement remote working solutions, thus CAP exemptions and reliance on cloud services became an easy solution.

Therefore, adversary-in-the-middle attacks have become increasingly popular due to the widespread adoption of MFA, shift to less robust CAPs due to the speedy shift to remote working, and the availability of accessible, open-source tools like Modlishka and Evilginx.

So, while MFA has become more popular, strengthening security postures, the attack surface has increased as well as tool availability, lowering the barrier for less sophisticated attackers to launch advanced attacks. 

What businesses can do to prevent MFA bypass

To mitigate the risks of MFA bypass, organizations need to take a multi-pronged approach that combines technology, processes, and people. A robust policy enforcement, advanced authentication methods, and proactive monitoring.

Strengthen conditional access policies

• Supplement IP or geo-whitelisting with enforcement of granular CAPs tailored to specific job roles and risk levels.
• Monitor login patterns for anomalies and suspicious behaviors and ensure high fidelity logs.
• Ensure CAPs account for the diversity of user environments, particularly in remote work or third party contractor scenarios.
• For most devices in the Microsoft ecosystem, Azure device compliance and AD joined can be a forced requirement in CAPs, preventing AiTM.
• Restrict web browsing based on user environments, and prevent access to potentially harmful or unknown sites. A good baseline is to restrict based on categorization with newly and unknown categories also restricted. 

Advance MFA solutions

• Adopt phishing-resistant MFA methods, such as Certificate based authentication or hardware tokens compliant with FIDO2 standards. 
• Move away from SMS based MFA.
• Use short-lived session tokens to minimise their utility if stolen.
• Regularly review and audit MFA implementations to address potential gaps.
• Test each solution thoroughly through mail control or phishing assessments.

Enhance privilege management

• Implement least privilege access to minimize the impact of compromised accounts.
• Separate MFA systems for internal and external applications to avoid single points of failure.
• Like the above, compartmentalizing accounts is sensible. Having all accounts tied to your phone may not be the best idea.
• Regularly review and disable dormant or underused accounts to limit attack vectors.

Monitor and respond

• Actively monitor authenticated sessions, investigate and isolate those exhibiting suspicious behaviours.
• Actively audit and monitor third-party connections, contractors and vendors.
• Invest in insider threat detection programs to identify and mitigate risks from compromised or malicious users.
• Continuously educate users about evolving MFA threats, including adversary-in-the-middle and social engineering tactics.
• Encourage users to report unidentified MFA prompts, even if they have accepted them.
• Build, run and test detections and playbooks against MFA bypasses.
• Ensure session tokens can be revoked for all applications if further used in SSO.

There are many more things organizations can do that range from strengthening device and endpoint security, to enhancing threat hunting and incident response. MFA providers are moving towards innovative authentication methods and leveraging behavioral risk-based analysis but organizations must also work towards proactive strategies. Adopting a zero-trust approach as well as encouraging partnership with the hacker community through vulnerability disclosure programs can help pave the way to dealing with this very broad and increasingly complex topic.