MFA Bypass Methods

  1. Insecure MFA recovery process.
  2. Insecure password reset weakness.
  3. ‘MFA Bombing’ – sending many MFA prompts, in the hope that one is acknowledged.
  4. Trickle charge attack – sending a couple each day, in the hope that one eventually get accepted.
  5. Social engineering – call and tell them to expect a prompt.
  6. Device theft.
  7. Device surfing – SMS pin popup on lock-screen.
  8. Brute force PIN (if vulnerable).
  9. IDOR bypass (Insecure direct object reference).
  10. Bypass via legacy channels that don’t support MFA.
  11. Cookie theft.
  12. Buggy MFA implementation – coerce the app to send codes to other addresses. E.g. parameter pollution. Client side security. PIN not tied to a user.
  13. Technical vulnerability bypass (SQL injection, overflow, other RCE etc).
  14. IDP Takeover.
  15. Parallel or back-office system attack (admin apps, legacy versions, reverse-proxy bypass).
  16. Find an account where MFA is not applied – Break glass account.
  17. SIM swapping.
  18. Exploit gaps in conditional access policy (trusted locations etc).
  19. Phishing – clone the MFA pin prompt and relay.
  20. Physical violence or blackmail.
Credit: Elliott Lewis, Reinforce Services, June 2022.

Leave a Reply

Your email address will not be published. Required fields are marked *