Most enterprises now have some form of multi factor authentication (MFA) to better protect employee accounts. However, not all MFA are created equal. While some forms of MFA are incredibly strong (Authenticator Apps and hard tokens), others (SMS, phone calls, and emails) still provide plenty of opportunities for account takeovers. Our own data reveals that 15% of authentications still rely on SMS as a factor.
On a positive note, next month Microsoft will introduce mandatory use of MFA “number matching”. For those using Azure AD MFA with the Microsoft Authenticator mobile app for your 2nd factor, it will start requiring a 2 digit 'number match' to authenticate your user account when you first login.
This move, which is largely a response to an increase in MFA fatigue attacks, should be lauded. Strong factors have existed for many years but they have, so far, not had a widespread adoption.
Every week, Oort observes millions of login attempts with various weak types of second factors. In this blog, I wanted to show some of this data and explain just how big this problem is.
How strong are the second factors we use today?
We know that not all MFA is created equal, and there are plenty of different types of second factors to choose from. NIST’s guidance on MFA recommends having two or more of:
1. Something the user knows
2. Something the user has
3. Something the user is
How many have no MFA
Based on Oort data since the beginning of 2023, on average, US-based organizations with 1,000 or more employees have 24.51% of accounts that have no MFA enabled. This may seem high, but this can include test accounts, service accounts. Nevertheless, a good chunk of these provide motivation for attackers to keep trying. I’ll get onto the compliance implications of accounts that lack any sort of MFA in a later section.
How many users have only weak MFA enabled?
On average, 13.22% of users do not have any strong form of MFA enabled. The majority of these rely on SMS-based authentication. SMS is considered weaker than other forms of authentication as an attacker can intercept the codes sent to the end user, which are sent in clear-text.
While all employees should ideally have stronger forms enabled, focus should be on those with administrative privileges in critical services like Okta and Workday, and providing them with physical authentication solutions like Yubikey.
How many users use weak factors with authenticating?
At this point, it’s worth remembering that simply because a strong form of MFA is enabled, it does not mean it is used. The majority of workers will have multiple factors enabled but, for whatever reason, will instead use a weaker form.
Taking a sample of approximately 3 million logins, we learn that 15% of logins leverage SMS-based authentication. There were even a handful of bypass codes used (some of which were used multiple times!). As we will see, this presents plenty of opportunities to attackers.
How attackers bypass weak MFA controls
So why should we care? The easiest way into an organization is through the front door, and attackers are confronted with username, password, and second factor. Given the ubiquity of breached usernames and passwords, you can imagine how tempting it is for attackers to attempt to bypass MFA controls.
Weak forms of MFA–especially SMS–are key to this. This happens all too frequently, especially with some of the least sophisticated attacks (the table below shows different approaches to MFA bypass, from low to high sophistication.) In fact, Auth0’s 2022 State of Secure Identity Report showed the scale of MFA attacks: on average, they saw 1.24M MFA bypass attacks every day. Most MFA bypass techniques, listed below, rely on a weak form of multifactor which, such as SMS.
| Technique | Description |
| MFA Fatigue and Flooding | A large number of MFA attacks rely on MFA fatigue and MFA flooding. This tactic involves sending one (or many) MFA prompts to the user, in the hope they will accept one. While this doesn’t seem very advanced, when it’s done at scale it can be surprisingly effective. |
| Social Engineering | As we increase the sophistication of MFA bypass, social engineering becomes more common. Attackers will impersonate the victim and content the IT help desk to reset their account or receive a one-time password. |
| SIM-Swapping | Through this method, the attacker contacts the victim’s mobile carrier to swap their phone number to a new SIM card in the attacker’s possession. Any six-digit SMS codes will now be sent to the attacker’s personal device, clearing the way for them to bypass MFA. |
| Attacker in the Middle | Attackers look to intercept communications between the victim and a legitimate organization via a fake login page. This login page will include inputs for credentials as well as a one-time code, which the attacker then transfers to the real login page. |
| Oktapus Style | At the most sophisticated end of the spectrum, a group known as 0ktapus targeted Twilio in order to access one-time passwords (OTPs) delivered over SMS. These passwords could be used by Okta customers as temporary authentication codes. Unfortunately, with access to Twilio, 0ktapus could see these OTPs. |
The (growing) cost on noncompliance
You’ll likely be aware of the various compliance frameworks that demand the use of MFA. These frameworks are growing and getting more teeth.
I’ll aim to dig into these in more depth in future blogs, but some of the most well-known are:
- Cybersecurity Maturity Model Certification (CMMC)
- NIST 800-63-3
- SEC Cyber Risk Management Rules
- PCI DSS
- GDPR
- Gramm-Leach-Bliley Act
In the past year, we’ve also seen a lot of momentum for regional frameworks, too. Last summer, Travelers Insurance asked a district court to rescind a cyber policy because the insured allegedly misrepresented its use of multifactor authentication (MFA).
Just last week, New York Department of Financial Services announced a $1.9 Million settlement with an insurance agency that did not have multi-factor authentication fully implemented for all users in the United States.
MFA Audits and Continuous Monitoring
Oort provides visibility into enterprises’ identity attack surface, and a major aspect of this is MFA usage. Oort’s Identity Security Platform is able to continually identify a range of weaknesses:
- Weak factors are used to login
- Accounts have no strong MFA enabled
- Accounts have no MFA
- Bypass codes in use
The platform also identifies active threats to your accounts, such as MFA flooding and session hijacking.
Whether you’re looking for an audit of your MFA posture or continuous monitoring of threats designed to bypass your MFA in place, we can help! Arrange time to chat to one of our experts today.