In this two part blog series, we’ll cover the definition of Multi-Factor Authentication (MFA), give details on various methods attackers use to bypass MFA, explain why adversary-in-the-middle techniques are growing, and give organizations actionable ways to prevent MFA bypass.

 

What is MFA?

MFA is an essential component of modern cybersecurity, designed to provide an additional layer of protection beyond traditional password-based systems. MFA typically combines two or more of the following authentication factors:

  • Something you know, such as a password or PIN.
  • Something you have, like a hardware token or one-time passcode (OTP).
  • Something you are, including biometrics such as fingerprints or facial recognition.

While MFA reduces the likelihood of unauthorized access, it is not foolproof. Attackers continue to develop sophisticated methods to bypass MFA, exploiting gaps in its implementation and leveraging human error or technical vulnerabilities.

 

How attackers bypass MFA

In this section, we’ll focus on five approaches attackers take to bypass MFA—conditional access policy, machine-based attacks, phishing and social engineering, phone-based attacks, and insider threats. We’ll look at some of the most common and effective techniques under each of these five approaches.

 

Conditional access policy (CAP) bypasses

These types of attacks can be performed from the internet. Here are some types to look out for:

IP address whitelisting

Organizations often whitelist specific IP addresses or ranges for trusted locations, inadvertently opening vectors for attackers who compromise endpoints, use legitimate VPN services or compromise physical locations. This can be exploited if the conditional access policies allow MFA bypass for a specific IP address or range.

Zero trust services such as Zscaler Private Access often allow any user on that service—including threat actors—to bypass MFA, if the organization’s conditional access policy has been configured without this consideration and locked down to only their organization.

Geo-whitelisting

Some CAPs exempt users from MFA if they access from trusted regions. This can be trivially bypassed using VPNs or location spoofing to appear in that specific trusted geographic location or by operating physically within the whitelisted area.

User-agent whitelisting

MFA exemptions for specific user agents (e.g., mobile apps or outdated browsers) allow attackers to set these user agents using browser extensions or custom scripts to bypass MFA.

Cloud tooling bypasses

Attackers exploit cloud environments by finding services and identifying misconfigurations that allow access without enforcing MFA. Tools like Roadrecon or BloodHound can map Azure AD environments, enabling attackers to escalate privileges. In some cases, compromised credentials from AWS or Azure CLI can also be reused to access other cloud resources, bypassing MFA entirely. Attackers may even use tools like AADInternals to disable MFA for specific users once access is gained.

Non-MFA hosts

Legacy protocols, systems and misconfigured services often lack MFA enforcement, providing attackers with easy access to environments with just a username and password that could be guessed, found, stolen, or sprayed.

Some sites, such as password reset portals, may be vulnerable to web application vulnerabilities that can allow attackers to reset, remove or bypass MFA on accounts. If a perimeter device has been compromised, an attacker may be able to intercept authentication or modify the authentication process to not require MFA, as seen in SLOWPULSE.

Some web services may also have a trust relationship, that despite authentication without MFA, the session token could be then used to access another resource that requires MFA. This can sometimes be seen with Microsoft Teams being then able to access Sharepoint and other services behind MFA despite CAPs.

Linux servers also often lack MFA, and finding API keys, secrets or SSH keys could result in direct access into a client environment, bypassing MFA.

 

Machine-based attacks

These attacks require physical or remote access to a laptop or other endpoint device. Here are some types to look out for:

Session token theft

If a user has already authenticated, the authentication will have generated a session token. Often these are portable and can be transferred to another machine and used to provide a valid session. Because the authentication happened on the legitimate device, the token can be stolen and look valid as there are no further checks of the validity. Attackers extract session tokens from memory using tools like Cobalt Strike BOFs, effectively bypassing MFA.

Exploiting or stealing OTPs and seed QR codes

Keylogging OTPs or socially engineering a person to disclose their OTP can directly lead to a valid session. Finding screenshots of the seed QR code can allow attackers to generate valid authentication codes ad hoc.

Compromising biometrics, TPMs, and passwordless authentication

If an endpoint is compromised, attackers can proxy authentication requests through the device.

Okta Terrify, a tool released during the BSides Cymru 2024 conference, demonstrated how passwordless solutions like Okta Verify’s FastPass or FIDO2/WebAuthn can be abused once an endpoint is compromised. Passwordless systems rely on public/private key pairs generated during enrollment to authenticate users. Access to the endpoint could lead to extracting the encrypted database, retrieval of the key material and then generation of fake biometric keys or misuse of existing keys.

Stolen device

Leaving workstations unlocked or having mobile or hardware tokens stolen can also lead to MFA being bypassed, with the risk being compounded by those devices having weak passwords or not using full disk encryption (or sometimes with).

 

Phishing and social engineering

Phishing remains a potent tool for attackers to bypass MFA, often leveraging the human element to exploit organizational security. For instance, attackers may coerce employees into downloading remote access tools under the guise of legitimate software or technical support as shown above, once installed, these tools grant attackers control over trusted endpoints, effectively bypassing the perimeter MFA protections.

Additionally, attackers have targeted users on social media platforms like WhatsApp with social engineering campaigns. By sending messages claiming a code was sent accidentally, they trick victims into sharing authentication codes, allowing the attacker to hijack accounts.

Here are some types of phishing and social engineering to look out for:

Adversary-in-the-middle

Attackers use tools like Evilginx to intercept credentials and session tokens by acting as intermediaries between users and legitimate services. These attacks bypass MFA by capturing authenticated sessions that can be replayed on an attacker’s browser. The authentications happen off the trusted device, so they can often be identified as impossible travel, if good detections are in place. 

We’ll look more into this type of attack in part two of this blog series.

Bring your own browser

Like adversary-in-the-middle with Evilginx, other malicious proxy tooling exists whereby targets log into a browser on an attacker machine, without realizing it. This then directly provides the attacker with an authenticated session and credentials. There are other attacks such as Browser in the Browser, which are used in similar ways. 

Device code phishing

Device code phishing in Azure leverages the legitimate Microsoft device authentication process to trick users into authorizing a malicious application. Attackers provide a user with a legitimate Azure device login URL and a code. Once the victim enters the code and authenticates, the attacker’s rogue application is granted access to the user’s account or services without requiring further interaction. This method bypasses traditional MFA defences by exploiting trust in the Azure authentication workflow.

MFA fatigue (prompt bombing)

Bombarding users with repeated MFA requests, if they are using prompt based MFA, exploits frustration or inattentiveness, tricking the target into granting access.

MFA timing attacks

Attackers can time MFA prompts, if the password is known, alongside reconnaissance of working hours or information about what a user might access.  This is a minimal effort attack with a relatively high success rate. If this attack is combined with a VPN or infrastructure that is co-located with the target, it can be extremely effective.

Targeting support and contractors

Vishing and Smishing can be effective alongside intelligence led pretexts to lead people into disclosing MFA codes or accessing sites that allow interception of session tokens or credentials.

Impersonating internal staff or contractors, attackers can manipulate helpdesks or support teams into disabling MFA or resetting credentials.

Contractor accounts sometimes aren’t used very often or used by third party staff that may not have continued security training or awareness. Using MFA Fatigue attacks may lead to them approving MFA unknowingly, likewise with social engineering attacks. As they are external to the organization, their route to report may be more convoluted, resulting in more Time-For-Attack.

QR phishing

Sending a QR code in a phish, SMS or getting someone to scan it, works in a similar way to just going to a URL, it is just easier to interface with instead of typing in a full URL. Thus the attack surface is similar as with a normal website. It can lead to browser exploitation and social engineering attempts for credential capture, session capture or download of malicious code. Additionally, forced network authentication can also occur leading a victim onto a malicious network despite reaching their intended scanned website.

Services such as WhatsApp, signal and discord allow a user to scan a QR code to initiate an authenticated session by scanning from a device that is already authenticated. This means that if this code is captured in any way, it can be used to authenticate a session while bypassing MFA.

Phone-based attacks

Phone-based authentication methods, especially SMS-based MFA, played a pivotal role in the widespread adoption of MFA due to their ease of implementation and user familiarity. Phones still play a significant role with Google and Microsoft Authenticators seeing common usage. Most MFA providers require an app to be used. SMS and application based MFA both come with their own risks, some have already been discussed above, here are some phone-based attacks to look out for:

SIM swapping

If SMS verification is used, requesting the PAC code for someone’s SIM, can lead to control over that phone number as it will be ported to a different SIM. This allows an attacker to take control and receive MFA SMS. This is becoming less of a threat however, as we move towards non SMS based MFA.

SS7 attacks, GSM, and mobile network attacks

Nation states and advanced threat actors may have the ability to intercept or send codes if they control the network infrastructure. In the US currently there is concern around Chinese compromise of telecommunication providers, therefore if SMS is being used for MFA, this could be accessed. Using IMSI catchers or rogue base stations and other advanced tooling similar capabilities can be achieved. This is becoming less of a threat however, as we move towards non SMS based MFA.

Authenticator applications

Some authenticator applications, like Google Auth, allow a user to back up their codes onto the cloud, tying their OTPs with their Google Account. This poses a risk as if that account is compromised, so are their MFA codes. Other attacks such as rouge or compromise of unprotected backups of phones, can also lead to code access.

 

Insider threats

As an organization, insider threats are very challenging to detect and mitigate. Often insider threats will leverage legitimate access to bypass MFA protections, either accidentally or purposefully. In addition, over burdening employees with surveillance or too many controls can lead to security fatigue, leading to even more insider threat. Although this seems counterintuitive, the path of least resistance is the likeliest route, if that includes a bypass of a security control, the route will be taken by some insiders. Here are some types to look out for:

Disabling MFA

Insiders with administrative privileges can disable MFA for specific accounts, enabling attackers to gain access. Some privileged users may also only have one account, meaning if their account is compromised externally, their internal privileges may be gained. Some non-executive directors and other executive staff also request to not have MFA on their account, which can be directly targeted by attackers.

Exploiting dormant, new, service, or default accounts

Some user accounts may not have MFA enabled at all or yet. With some accounts, if the password is known, such as with a new user or a default build password, the user account can be hijacked and the MFA set up by the attacker, giving them access.

Some service accounts or default accounts don’t have MFA enabled, if they are allowed to authenticate on an external portal, this can lead to internal access. Default or dormant accounts also often lack MFA protections and are prime targets for attackers seeking easy entry points.


Stay tuned for part 2, where we’ll share information about how to prevent MFA bypass.