- Insecure MFA recovery process.
- Insecure password reset weakness.
- ‘MFA Bombing’ – sending many MFA prompts, in the hope that one is acknowledged.
- Trickle charge attack – sending a couple each day, in the hope that one eventually get accepted.
- Social engineering – call and tell them to expect a prompt.
- Device theft.
- Device surfing – SMS pin popup on lock-screen.
- Brute force PIN (if vulnerable).
- IDOR bypass (Insecure direct object reference).
- Bypass via legacy channels that don’t support MFA.
- Cookie theft.
- Buggy MFA implementation – coerce the app to send codes to other addresses. E.g. parameter pollution. Client side security. PIN not tied to a user.
- Technical vulnerability bypass (SQL injection, overflow, other RCE etc).
- IDP Takeover.
- Parallel or back-office system attack (admin apps, legacy versions, reverse-proxy bypass).
- Find an account where MFA is not applied – Break glass account.
- SIM swapping.
- Exploit gaps in conditional access policy (trusted locations etc).
- Phishing – clone the MFA pin prompt and relay.
- Physical violence or blackmail.
Credit: Elliott Lewis, Reinforce Services, June 2022.