What Types of Attacks does Multi-Factor Authentication Prevent?

In 2020, cybercrime cost the world over $1 trillion, 37% of organizations were affected by ransomware attacks, and 61% were affected by malware attacks. These facts show that organizations have to deal with many serious cybercrimes. To protect their networks, systems and data, they need robust cybersecurity controls and methods like Multi-Factor Authentication (MFA).

But what types of cyberattacks does MFA protect against?

• Phishing
• Spear phishing
• Keyloggers
• Credential stuffing
• Brute force and reverse brute force attacks
• Man-in-the-middle (MITM) attacks

Traditional single-factor authentication systems require users to provide only one verification factor, i.e. the password, to access a system or application. Hackers can easily steal these passwords, and hack into an enterprise system.

MFA systems require two or more factors to verify a user’s identity and grant them access to an account. MFA provides reliable assurance that an authorized user is who they say they are, thus minimizing the possibility of unauthorized access. For these reasons, MFA is much more effective at protecting systems compared to passwords.

To understand how MFA protects against cyberattacks, let’s first review how these cyberattacks work:

Phishing

In 2020, 75% of organizations worldwide experienced a phishing attack. Phishing was also the most common attack seen in data breaches.

In a phishing attack, email is used as a weapon. The cybercriminal pretends to be someone the intended victim would normally trust such as a government organization or bank. The attacker then creates a fake email with a malicious attachment or link that looks like it came from the trusted organization.

The purpose is to fool the victim into taking some action that benefits the attacker. For example, they may be told to log in with their credentials and make some transactions on the provided (fake) link. The attacker steals the user’s credentials, logs into the real website while pretending to be the user, and steals the user’s money.

In Spear Phishing, the attacker targets specific individuals or organizations with well-crafted, believable and relevant messages. They often use personalized content, such as the user’s name, or refer to a recent user action (e.g. online purchase) or event (e.g. wedding) to make the message more believable.

Like phishing, spear phishing emails also include a compelling call to action, usually to trick users into providing sensitive data, e.g. their account credentials or financial information.

Whaling is a type of focused spear phishing that targets a senior or high-profile victim, such as a C-suite leader. Such individuals tend to be more cyber-aware, so “normal” phishing tactics usually don’t work on them. As a result, adversaries use more sophisticated methods and tailored fraudulent messages that are personally addressed to the victim. The attackers use urgency to compel the victim to take some action, such as open an attachment that installs malware, or trigger a wire transfer.

Keyloggers

A keylogger is a type of monitoring program or spyware. Cybercriminals install keyloggers on a victim’s device, often via a virus. The program captures every keystroke the victim makes and records their usernames, passwords, answers to security questions, banking and credit card details, sites visited, and more. Cybercriminals then use this sensitive information for malicious purposes.

Brute Force, Dictionary and Credential Stuffing Attacks

In a Brute Force attack, the cybercriminal uses a program to generate and use many possible username/password combinations, hoping that at least one will help them gain access to an enterprise system. Brute force attacks are very common and provide many benefits to cybercriminals:

• Place spam ads on websites to make money when the ad is clicked or viewed

• Infect a site’s visitors with activity-tracking spyware, steal their data, and sell it to marketers (or on the dark web)

• Hack into user accounts to steal personal data, financial data, or money

• Spread malware or hijack enterprise systems to disrupt operations

In a reverse brute-force attack, the attacker tries common passwords, e.g. “password” or “123456” to try to brute-force a username and gain access to many accounts.

Dictionary attacks are a common type of brute force attack, where the attacker works through a dictionary of possible passwords and tries them all to gain access.

A credential stuffing attack is a type of brute force attack that also takes advantage of passwords. Many people often use the same username and/or password on multiple accounts. Attackers take advantage of this fact to perpetrate credential stuffing attacks where they steal credentials, and try to use them to access many accounts. Sometimes they may obtain credentials from one organization, either through a data breach or from the dark web, and use them to access user accounts at another organization.They hope that at least some of the same credentials will enable them to:

• Sell access to compromised accounts

• Steal identities

• Perpetrate fraud

• Steal sensitive enterprise information, e.g. business secrets, Personally Identifiable Information (PII), financial information, intellectual property, etc.

• Spy on the enterprise (corporate espionage)

Man-in-the-Middle Attacks

In an MITM attack, the attacker eavesdrops on a user’s connection with another party. They observe or intercept communications between these parties to steal the user’s credentials or personal information, corrupt data, or hijack the session to sabotage communications.

All these cyberattacks involve obtaining account credentials. MFA requires users to provide additional information or credentials to gain access to an account. So, even if an attacker does manage to steal passwords, it’s unlikely that they will also be able to steal or compromise the additional authentication factors required in MFA. That’s why MFA can thwart cybercriminals and successfully combat many types of cyberattacks, including:

Phishing, Spear Phishing and Whaling

An attacker may launch a phishing attack to steal a user’s credentials. But, if the user’s account is protected by MFA, the attacker won’t be able to access it. This is because a phishing email won’t provide the other authentication factors, such as one-time passwords (OTPs) sent to a different device (e.g. a mobile phone), fingerprints, or other biometric factors required to gain access to the system.

In attacks where the attacker tries to trick a user into entering their credentials, certain types of MFA such as WebAuthn require the user to enter a yubikey or fingerprint from the system they’re logging in from. These details cannot be captured by the attacker, thus protecting the system and user.

Keyloggers

Keyloggers can capture any passwords entered into a system. But if MFA is enabled, it’s not enough for the hacker to simply get access to the password. In order to log in, they also need access to the other authentication factors. For instance, if MFA is set up with a mobile authenticator app, the authorized user simply needs to sign in with the mobile device and accept the auth request. Without access to this secondary device, cybercriminals cannot hack in, even with a keylogger installed on the user’s system.

Credential Stuffing

MFA is a very effective approach to neutralize credential stuffing attacks, in which cybercriminals automatically and simultaneously try a list of stolen usernames and passwords on multiple sites. But with MFA, the cybercriminal would need additional pieces of information for authentication and login. Since they won’t have access to this information, they cannot gain unauthorized access to the organization’s systems.

Brute Force Attacks

An attacker may manage to find a working username and password with a brute force, reverse brute force attack, or dictionary attack. However, they don’t know or have the other authentication factors required by the MFA system, so they cannot access the system.

MITM Attacks

MFA can also combat more sophisticated attacks, such as MITM. Even if a hacker or malicious program inserts itself into the interaction between users and applications and captures the information users enter, MFA would require users to supply credentials from a different device. This can prevent eavesdroppers from intercepting or manipulating communications between the user and application. Push-based authenticators such as mobile phone authenticators are well-suited to provide a secure MFA mechanism without inconveniencing users.

For example, suppose a user has logged into an account from her laptop, which has been compromised by a MITM program. But since the business has set up MFA, the user must use a phone app, such as OneLogin Protect to complete her login. The native mobile authenticator app sends a code from the phone to the authentication system to securely complete the login. Since the hacker doesn’t have access to the user’s phone or the one-time code generated by the app, the breach is prevented.

The Web Authentication API (also known as WebAuthn) provides an extra layer of security when users try to access web applications. Authentication is backed by a Hardware Security Module, which can safely store the private key that only the authorized user has access to. WebAuthnN relies on strong public-key cryptography instead of weak passwords to authenticate authorized users, and mitigate the threat of MITM attacks.

Ransomware (extortionware) is another growing cybersecurity problem for organizations. For example, in the US, cybersecurity attacks increased by 139% between 2019 and 2020. In fact, there were a staggering 145.2 million cases in Q3 2020 alone. Ransom payouts also increased by 311% to touch nearly $350 million in cryptocurrencies.

Ransomware is a type of malware, which an attacker stealthily installs on a user’s system. The program encrypts the user’s files or data. To decrypt these locked files and restore the user’s access, the attacker demands a ransom from the victim.

In addition to combating common cyberattacks, MFA is also effective at preventing ransomware attacks. Ransomware attacks start when an attacker gains access to account credentials. But with MFA, the attackers don’t have the additional required information to access the target account. This keeps them out of the system and prevents the attack.

Further, any unauthorized login attempts will raise an alert when IT admins start getting unexpected MFA authorization requests. They can then take immediate action to keep these attackers out. By using MFA, organizations can prevent ransomware attacks and protect themselves from expensive extortion demands.

For this, context-aware, adaptive MFA solutions like OneLogin’s SmartFactor Authentication^TM are highly effective. SmartFactor Authentication analyzes a broad range of inputs, such as user location, device, and behavior to adjust the number of authentication factors needed to log in. Equally important, it assesses the risk level for each login, and then dynamically adjusts the authentication requirements in real time. It thus reliably secures the organization from ransomware attacks.

MFA cannot guarantee foolproof security or stop all cyberattacks. However, it can help protect high-value systems and accounts, secure email access, and limit the usefulness of stolen credentials. Most importantly, MFA adds additional layers of authentication to protect systems and combat many types of cyberattacks. MFA is also critical to achieving Zero Trust, the most reliable cybersecurity approach in the modern cyberthreat landscape.