Bypassing Two-Factor Authentication

2022-04-01 11:12

Some forms of MFA are stronger than others, and recent events show that these weaker forms aren't much of a hurdle for some hackers to clear.

Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop.

This method often attracts less attention, but "There is still a good chance the target will accept the MFA request." Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process.

FIDO2 multi-factor authentication systems are not susceptible to these attacks, because they are tied to a physical computer.

Even though there are attacks against these two-factor systems, they're much more secure than not having them at all.

If nothing else, they block pretty much all automated attacks.

News URL

https://www.schneier.com/blog/archives/2022/04/bypassing-two-factor-authentication.html

#authentication #bypassing #twofactor