How Hackers Have Moved Beyond MFA

Written By zachary sawtelle

What is Multi-Factor Authentication?

Alright, let's break it down: multi-factor authentication (MFA) is like having bouncers at the door of your digital accounts, only these bouncers are extra picky. Instead of just asking for your password (which hackers have gotten pretty good at guessing), MFA wants you to prove it's really you in more than one way. So maybe it’ll ask for a password and a code sent to your phone, or a fingerprint just to be sure. Think of it as your account asking, "Are you really, really sure it’s you?" To get in, you need to provide at least two of the following:

1. Something You Know

This is the most common form of authentication: a piece of information only you should know, such as:

  • Passwords: Your standard "lock" for most accounts.

  • PINs: Short numeric codes used for quick access, like unlocking your phone.

  • Answers to Security Questions: e.g., "What’s your mother’s maiden name?".

Why it’s not enough: Passwords can be guessed, stolen in a data breach, or tricked out of you with phishing scams. A strong password is essential, but it shouldn’t be your only line of defense.

2. Something You Have

This is a physical or digital item you possess that confirms your identity. Common examples include:

  • Smartphones: MFA apps (like Google Authenticator or Duo) generate timesensitive codes.

  • One-Time Passcodes (OTPs): Sent via text, email, or app notification.

  • Security Keys: USB or NFC devices (e.g., YubiKey) you plug in or tap to verify yourself.

  • Access Cards: Physical badges used to unlock doors or log in to systems.

Why it’s effective: Even if someone knows your password, they can’t access your account without this second factor. However, it’s essential to keep your physical devices secure— losing your phone or key can create a vulnerability.

3. Something You Are

This is biometric information unique to you. Examples include:

  • Fingerprint Scans: Like unlocking your phone with your thumb.

  • Facial Recognition: Used by smartphones and some computers.

  • Voice Recognition: Systems that authenticate based on your speech.

  • ris or Retina Scans: Often used in high-security environments.

Why it’s reliable: Biometrics are hard to fake or steal. Hackers can’t "guess" your fingerprint or replicate your face (at least not easily), making this an extremely secure factor.

How Do Hackers Bypass MFA?

In a world where hackers are constantly finding new ways to steal information, MFA is essential, adding extra layers of protection and making it much harder for anyone to break in. However, as hackers have gotten smarter and more aggressive, they’ve learned tricks to bypass MFA. Some common examples include:

1. Phishing Attacks

Attackers use phishing emails, fake websites, or social engineering calls to trick users into sharing their MFA credentials or entering their one-time passcodes (OTPs).

 

Man-in-the-Middle (MitM) Attacks: In a more sophisticated phishing scheme, attackers set up a fake webpage that mirrors the legitimate login page. When users enter their credentials and OTP, the attackers capture and immediately use this information to log in.

2. SIM Swapping

Cybercriminals trick mobile providers into transferring a user’s phone number to a new SIM card. Once they control the number, they intercept SMS-based OTPs, allowing them to bypass SMS-based MFA and gain access.

3. Session Hijacking

Attackers exploit a vulnerability in a user's browser or network to capture an authenticated session token. This allows them to access the user’s account without needing the MFA code.

4. Malware and Keylogging

Malware or keyloggers installed on a user's device can capture credentials and OTPs. Some advanced malware can even intercept push notifications or steal session cookies, enabling attackers to bypass MFA.

5. Push Notification Bombing (MFA Fatigue)

Attackers trigger repeated push notifications to a user’s device in an attempt to overwhelm them. The user may eventually approve the request by accident or out of frustration, unwittingly granting access.

6. Technical Exploits and Vulnerabilities

Certain MFA systems have known vulnerabilities. For instance, flaws in how some MFA tokens are generated or managed could allow attackers to predict or manipulate OTPs. Exploiting these weaknesses can bypass MFA for some accounts.

7. OAuth Phishing (Token Theft)

Attackers can create fake OAuth applications that request permissions from users to access their accounts. When users grant permissions, the attackers gain access without needing MFA, as they are using legitimate OAuth tokens.

8. Social Engineering (Targeting Support Staff)

Cybercriminals may impersonate legitimate users and convince support staff to reset MFA protections or remove MFA on an account, allowing them unauthorized access.

9. Backup Codes

Many services allow users to generate backup codes as an alternative to MFA. If these codes are stolen (e.g., if stored insecurely or accessed via a breach), attackers can use them to bypass MFA.

Mitigating the Risks – Combining ITDR & EDR + MFA

If a hacker gets past MFA, the results can be devastating – they can sensitive data, lock you out of your own accounts, or use your accounts to attack others. That’s why adding Identity Threat Detection and Response (ITDR) and Endpoint Detection and Response (EDR) on top of MFA is becoming a must-have—ITDR & EDR acts like an extra security guard, monitoring your accounts 24/7 and stopping attackers before they can do serious damage.

How ITDR Works

ITDR (Identity Threat Detection and Response) is a cutting-edge security solution focused on protecting user identities and access from cyber threats. It combines advanced monitoring, detection, and response strategies to defend your organization.

ITDR uses three key strategies to defend you:

  • Behavior Monitoring: ITDR learns what “normal” activity looks like for each user. If something doesn’t match up—like logging in from another country or using a new device—it raises a red flag.

  • Anomaly Detection: ITDR watches for patterns that suggest an outside attack—like multiple failed login attempts or unusual access times—as well as insider threats, such as suspicious activity from employees or contractors misusing their access.

  • Real-Time Response: When a threat is detected, ITDR doesn’t wait—it acts fast to block access, lock accounts, or alert administrators. ITDR gives your team a head start in dealing with potential breaches by both notifying them and recommending immediate actions.

What EDR Adds to ITDR

EDR (Endpoint Detection and Response) complements ITDR by focusing on protecting devices such as laptops, servers, and mobile devices. While ITDR secures user identities and access points, EDR monitors endpoints for malicious activity, detects threats like malware or ransomware, and provides tools for rapid containment and remediation.

Together, ITDR and EDR deliver a layered, comprehensive approach to cybersecurity.

In addition, ITDR proactively looks for signs of breaches—even if no alerts have been triggered yet—and identifies and gives recommendations to fix weaknesses in your system before a hacker can take advantage.

Real-World Examples  

Here are a few scenarios where ITDR & EDR proves their worth:

1. Phishing Attack Defense  

Scenario: An employee receives a fake email from a "trusted" source asking them to log in to a system. They accidentally enter their credentials on a fraudulent website.  

How ITDR & EDR Helps:

  • Detects that the hacker is logging in from an unfamiliar location or device.

  • Flags abnormal behavior, like accessing files or systems the real user doesn’t normally use.

  • Blocks the login attempt or triggers a secondary verification step before the hacker can gain access.   

2. Credential Stuffing Attack  

Scenario: A hacker uses a list of stolen usernames and passwords (from a data breach) to try logging into a company's systems.

How ITDR & EDR Helps:

  • Identifies multiple failed login attempts across different accounts from the same IP address.

  • Recognizes unusual login patterns (e.g., logging in to multiple accounts in rapid succession).

  • Automatically locks affected accounts and alerts security teams to investigate further.   

3. Insider Threat Detection

Scenario: A disgruntled employee with admin privileges starts accessing sensitive files they don’t usually work with and attempts to download large volumes of data before resigning.  

How ITDR & EDR Helps:

  • Monitors privileged accounts for unusual behavior, such as downloading an unusual volume of files or accessing restricted areas.

  • Assigns a high "risk score" to the activity, triggering an automatic response like locking the account or requiring re-authentication.

  • Alerts the security team to take immediate action.   

4. Stopping Lateral Movement in a Breach

Scenario: A hacker gains access to one user’s credentials and uses it to explore other parts of the network, aiming to reach more sensitive systems or data.  

How ITDR & EDR Helps:

  • Detects unusual login attempts or access to systems the original account wouldn’t normally use.

  • Identifies patterns of lateral movement, such as attempting to escalate privileges or probe internal networks.

  • Blocks suspicious actions and isolates the compromised account to contain the breach. 

5. Protecting Against Ransomware Deployment  

Scenario: A hacker uses stolen credentials to log in to a system and tries to execute malicious code to encrypt company data.

How ITDR & EDR Helps:

  • Spots anomalous behavior, such as running unusual scripts, changing file permissions, or accessing systems rarely used by the account.

  • Detects repeated attempts to access sensitive directories or systems tied to backups.

  • Automatically shuts down access, stops the execution of the ransomware, and alerts the team for immediate intervention.

While ITDR & EDR are the primary defense against hackers, here are some additional best practices to protect your business:

Passwordless Systems

Passwordless systems enhance security by eliminating the reliance on traditional passwords, which are often targeted by hackers through methods like phishing, brute force attacks, or credential stuffing.

  • How They Work: These systems use two-factor authentication (2FA) tied to something you have, such as a physical token, something you are, such as biometric data, or something you know, like a unique passkey.

  • Example - Windows Hello

    • Offers multiple authentication methods, such as facial recognition, fingerprint scanning, or device-specific PINs.

    • Keeps authentication local by creating a unique relationship between your device and your credentials, ensuring that sensitive data isn't shared externally.

    • Can integrate with online platforms, reducing the need for password entry across applications and services.

By implementing passwordless systems, businesses can minimize the risk of credential theft while providing employees with a faster, more user-friendly login experience.

Hardware-Based Authentication Tools

Physical authentication devices add an extra layer of protection by requiring a tangible component to access secure systems or data.

  • How They Work: Typically, a USB key or dongle is plugged into a computer, and users must interact with the device—such as pressing a button or tapping the device—to complete the authentication process.

  • Benefits

    • Resistant to phishing and scraping attacks since credentials are not entered via a keyboard.

    • Impossible to compromise remotely, as the attacker must have the physical token to gain access.

    • Devices often comply with FIDO2 standards, ensuring strong encryption and broad compatibility.

This method is particularly effective for securing sensitive data or systems accessed by employees handling critical business functions.

Employee Phishing Training

Employees are often the first line of defense in protecting against cyberattacks, making phishing awareness training essential.

  • Focus Areas for Training:

    • Recognizing Phishing Attempts: Teach employees how to identify suspicious emails, including checking for red flags like mismatched sender addresses, typos, or urgent requests.

    • Avoiding Suspicious Links: Train staff to avoid clicking links or downloading attachments from unknown sources. o Reporting Protocols: Establish clear procedures for employees to report potential phishing attempts to IT or security teams.

  • Implementation Strategies:

    • Conduct regular simulations to test employee responses to mock phishing emails.

    • Use interactive training platforms to engage employees and reinforce best practices.

    • Provide ongoing education as phishing tactics evolve.

Effective phishing training reduces the likelihood of successful attacks and fosters a culture of vigilance, helping employees become active participants in safeguarding the organization.

As hackers get smarter, businesses need smarter tools. ITDR doesn’t just react—it predicts and prevents. It’s part of a larger shift toward proactive cybersecurity, where the goal is to stay one step ahead of attackers. By using ITDR alongside tools like strong MFA, companies can better protect their employees, customers, and data from evolving threats.  

 
zachary sawtelle
Previous

Top Tech Gadgets of 2024: Must-Haves for the Modern Era
Next

Unlocking the Power of AI & Automation for Your Business