How to Avoid MFA Bypass Threats: What Organizations and MSPs Must Do

| Posted on |

How to Avoid MFA Bypass Threats: What Organizations and MSPs Must Do

Providing a critical component for cybersecurity, multi-factor authentication (MFA) is widely used for identity and access management (IAM). MFA has proven to be quite effective in protecting against credential theft and other forms of unauthorized access. However, cyber threats have increased in sophistication and capability, generating techniques to bypass the MFA standard. It has become apparent that without additional layers of defense, MFA cannot protect your digital landscape alone.

MFA Bypass Threats

While considering various protections is important, it’s even more so to recognize the typical vectors through which MFA can be bypassed. 

Adversary-in-the-Middle (AiTM) Phishing Attacks

This is achieved when a phishing site retrieves user credentials and then sends them to a legitimate system, capturing the MFA token. This allows the hacker to access the associated system until the token expires. This has been documented by Microsoft, which has stressed that this can occur even with MFA enabled.

Push-Flood

Attackers push numerous push notifications to a user’s devices to the point that the user becomes frustrated and approves one. This method can also bypass MFA controls.

Weak MFA Methods

Voice calls and SMS are non-phishing-resistant forms of communication, making them more susceptible to interception.

Preventing MFA Bypass

It is important to deploy technical controls to monitor and mitigate these threats. Employing Microsoft’s stack of EntraID, Conditional Access, and Defender will:

  • Enforce phishing-resistant MFA for high-privilege / administrator accounts
  • Apply risk-based conditional access policies
  • Strong device compliance and endpoint controls
  • Token protection and session-level security
  • Eliminate weak or legacy MFA methods
  • Audit, monitoring & incident response

Protecting Against MFA Bypass

C Solutions can provide various methods to protect your business from MFA bypass threats. Listed below are the most common methods to achieve this:

Assessment and Policy Review

Audit Entra ID, Azure ID, and Conditional Access settings to search for any potential misconfigurations or gaps. This is imperative to ensure all administrator roles are properly protected. 

Secure Conditional Access Frameworks

Develop and deploy policy templates that remain phishing-resistant. This means to employ MFA for device compliance and high-privilege roles. It also means to have layered protection as a backup to this model.

MFA Method Standardization

Businesses need to move from weak MFA methods and standardize stronger ones using FIDO2 or passkeys. This helps to better manage device control.

Ongoing Monitoring

To effectively monitor Cloud Apps, Endpoint, and Identity, it is crucial to continuously track this activity and implement alerts when specific security conditions are met.

User Education

Many users dislike using MFA because it is bothersome to have to provide additional information to their password. It is essential to educate users on the importance of MFA and how to spot phishing attempts. 

Preparedness and Recovery

Incident policies must be in place to revoke tokens, rotate credentials, and reset configurations when incidents occur.

Implementing a Best Practices Checklist

While there are many methods to stymie MFA bypassing, the list below yields the best results for MSPs.

  • Conditional Access Coverage: Ensure policies apply to every app and user type. This includes admins, contractors, and guests. Regardless of level, they each need policies to cover their usage and access.
  • Authentication Strength: Providing phishing-resistant MFA (FIDO2/passkeys) for those with admin access or privileged roles.
  • Device Compliance: Enforce the use of compliant devices, known locations, and Azure ID joined when possible.
  • Token Protection: In those areas or those devices that have a higher associated risk, enable CAE and require reauthentication.

Real-World Protection

Enterprise-grade solutions are necessary to guard against MFA bypass. C Solutions IT can provide various MFA policy frameworks to provide protection for our clients. It is important, given the climate of today’s digital landscapes, to protect your infrastructure and data from these vicious attacks. 

Security Measures

It is important to recognize that while MFA is still indispensable, it is still fallible. It is not a standalone cure-all. It is far from it. This is particularly true if it is improperly configured. It requires an incredible level of expertise to ensure it is properly installed for the given environment. The robust tools that give MFA its reach and provide device compliance and authentication strength are not enough as the sole protector. Threats like push-fatigue and token theft or AiTM phishing can all bypass MFA, given the right set of circumstances. 

Reach out to C Solutions IT to schedule an MFA bypass risk assessment. We can integrate various proactive threat detection tools and help configure your environment for proactive threat detection.