Multi-factor authentication (MFA) is viewed as a key component of modern cybersecurity, but it’s far from invincible. As threats evolve, so do the techniques used to bypass even the most robust MFA implementations.

We’ve categorized MFA vulnerabilities based on three main attack vectors:

1. Assaults on the authentication infrastructure
2. Exploitation of client-side weaknesses
3. Social engineering tactics that target human vulnerabilities

        By understanding these threats, security professionals can better fortify their defenses
       and try to stay ahead of potential attackers.

Attacking the Authentication Infrastructure

Infrastructure is the bedrock of authentication security. When this foundation cracks, even the strongest MFA implementations crumble. There are important examples on both the client side and the security vendor side that expose the risks to authentication infrastructure and processes.

Stealing the Master Key

Compromising the core authentication infrastructure can have catastrophic consequences. One strategy for attackers is to hack and obtain the private signing key (“master key”) that forms the foundation of the “who are you?” chain of trust.

• Golden SAML tokens. In the alarming and heavily publicized 2020 attack against the software supply chain, attackers injected malicious code into SolarWinds’ Orion software updates, allowing them to forge SAML tokens and bypass MFA for numerous high-profile targets.
• Tenant coordination attacks: In 2023, researchers uncovered weaknesses in Microsoft’s
  Azure AD’s MFA coordination across tenants, potentially allowing MFA bypass for shared accounts.
• Third-party access: A compromised third-party support engineer’s laptop in 2022 allowed Okta’s SAML tokens to be stolen, enabling attackers to impersonate legitimate users.
• Obtaining the consumer signing key. Theft of Microsoft’s Consumer Signing Key in 2023 allowed forged authentication tokens for consumer accounts.

         These incidents highlight how a single point of failure can undermine MFA across entire
         systems or organizations. By targeting the core authentication infrastructure and platform
         vendors, attackers can exploit potentially millions of endpoints.

Rendering MFA Ineffective

Sometimes, attackers don’t need to steal keys because they just aim to neutralize the MFA. When MFA infrastructure is offline, defenses are down. Some notable examples include:

• DDoS Attacks on Identity Providers (IdPs): “Fail open” configurations can default to allowing access without MFA during DDoS attacks.
• RSA SecurID Breach (2011): Compromised systems at the RSA MFA token manufacturer led to potential token cloning, bypassing MFA for major defense contractors.
• Weak Timeout Policies (2020): Overly long session timeouts can grant attackers extended access without re-authentication, such as in the Twitter admin account hijacking in 2020

        These examples show how architectural decisions and configurations can weaken MFA,
        even when the core technology appears to be secure.

Client-Side Vulnerabilities and MFA Bypass Techniques

While infrastructure attacks are sweeping and powerful, they are relatively rare. The real workhorse for attackers are client-side vulnerabilities that offer a way to bypass MFA on a per-person basis. Let’s examine some of these techniques:

Stealing Tokens

Once an attacker gains a foothold on a person’s device, they have several MFA bypass
options:

• Session Hijacking: By stealing authentication cookies or tokens, attackers can ride on an already authenticated session, completely bypassing the need for MFA. Examples abound, such as the “Phishing-as-a-Service” Tycoon 2FA and V3B toolkits used by attackers to exfiltrate session tokens from victims.
• OAuth 2.0 Vulnerabilities: Flaws in OAuth implementations can be exploited through techniques like XSS, HTML injection, or manipulating proxy settings. This allows attackers to intercept or forge OAuth tokens, bypassing MFA.
• Man-in-the-Browser Attacks: Sophisticated malware can manipulate what users see in their browsers, such as ongoing attacks against Brazilian bank customers, or countless cryptocurrency malware. This allows attackers to intercept or modify transactions even after successful MFA, potentially changing payment details or other sensitive information.

These token-stealing techniques represent the first line of attack for many cybercriminals. As security measures evolve, attackers also develop more sophisticated methods to bypass MFA.

For example, in April 2022, OAuth tokens issued to Heroku and Travis CI were stolen, leading to unauthorized access to private repositories on GitHub. Attackers exploited these tokens to move laterally within GitHub’s infrastructure, accessing sensitive data from multiple repositories. This breach highlighted the risks associated with overly permissive and long-lived OAuth tokens.

Abusing Trusted Components

Moving beyond simple token theft, more advanced attacks target trust relationships in the applications themselves. Chief among these are Supply Chain Attacks, compromising software update processes to distribute authentication-altering malware.

• Client-side attacks. Modern websites are built upon a web of dependencies, each of which could potentially be subverted to be a vector for a wide-ranging attack that circumvents authentication. There are various examples, for example the 2023 UAParser.js backdoor in the npm ecosystem, and the various episodes in the Magecart timeline.
• Server-side attacks. The backend similarly relies on external components that must be trusted, notably demonstrated by the 2020 Solar Winds hack and the 2024 SSH xz backdoor, both of which were used by advanced attackers to bypass authentication and live off the land within the compromised organization.
• By compromising the foundational programs that employees trust, attackers can bypass MFA among end-users of these programs in ways that are much harder to detect and prevent.

Social Engineering and Human Vulnerabilities in MFA Protection

The human factor continues to pose a significant vulnerability in MFA systems, making them susceptible to social engineering attacks. Consider the following typical attack chain.

In early 2021, Microsoft Exchange servers were targeted by a sophisticated spearphishing campaign. Attackers exploited vulnerabilities in the Exchange Server software to gain initial access. They then used spear-phishing emails to steal credentials and move laterally within the network, deploying web shells and other malware to maintain persistence and exfiltrate data.

Social engineering attacks like these exploit human security weaknesses in various ways:

Direct Deception

If I trust that you are someone else, I may grant you access you should not have. Social engineering, psychologically manipulating human trust, remains a potent tool for bypassing MFA.

• Phishing and Spear Phishing: In this staple of the hacker’s toolkit, attackers create convincing replicas of authentication pages to steal credentials and MFA codes. They can have a broad approach (phishing), or a more targeted individual audience attack (spear phishing), with a plethora of examples. The bombastic 2024 MGM Resorts ransomware hack, for instance, relied on a vishing call to the IT helpdesk to request an MFA reset for an administrative account.
• MFA Fatigue (Prompt Bombing): Overwhelming people with authentication requests until they approve one out of frustration, such as in the highly publicized Uber hack of 2022.
• Exploiting Habituation: Taking advantage of employees’ routine re-authentication habits, such as frequent single sign-on (SSO) login prompts that annoys employees enough to store credentials in password managers that are backed up on personal accounts, such as in the 2022 Cisco hack.

These attacks are examples of how taking advantage of human psychology and behavior can defeat even well-designed MFA. But direct deception isn’t the only social engineering tactic attackers use.

Other Social Engineering Tactics

Attackers use various methods to manipulate people and systems:

• SIM-Swapping and SMS Interception: Convincing carriers to transfer phone numbers to attacker-controlled SIMs allows for MFA bypass, since the SMS text message will be received by the hacker group. This method for overcoming authentication has been used repeatedly against high-profile individuals and companies (such as Washington National in 2024) with entire gangs (such as Scattered Spider) organized around the practice.
• Account Recovery Exploits: Leveraging weak recovery processes can bypass MFA entirely. The known attacks range from guessing security questions to exploiting weak SMS implementations, underscoring the need for proper identity verification during account recovery.
• Insider Threats: Exploiting third-party support providers, such as the 2024 cascade of attacks against Snowflake customers that had not fully enabled MFA, or internal employees in the organization. These can be unknowing insiders, such as in the 2020 Twitter hack, or bribed or malicious insiders such as in multiple attacks against Tesla in 2020.

These examples show how attackers can bypass MFA by exploiting processes and people adjacent to the core authentication system. The chain is never stronger than its weakest link.

Closing Thoughts: The Role of MFA in the Ever-Evolving Battle for Security

The list of MFA bypass techniques exposes the fierce and evolving battle between attackers and defenders in cyberspace. While companies have made significant strides in bolstering their defenses against stolen credentials, relying solely on MFA leaves critical vulnerabilities that hackers are quick to exploit. Rather, new attack vectors and vulnerabilities emerge constantly, proving that MFA is not the silver bullet we all wish it would be.

Effective security demands a comprehensive, layered approach. When the authentication infrastructure is bypassed or becomes porous, what compensating controls keep hackers at bay?

Maintaining robust MFA protection requires vigilance and adaptability. Security teams must stay ahead of emerging threats, continuously refine their defenses, and instill a culture of security awareness across the organization.

In cybersecurity, standing still means falling behind: you don’t want to be the slowest zebra in the savannah. As attackers sharpen their tactics, defenders must evolve their strategies. The battle for cybersecurity is ongoing where MFA is an important weapon, but with a layered and proactive approach, you can significantly reduce the risk of falling victim to sophisticated bypass techniques.

Stay proactive, stay informed, and remember: in cybersecurity, there are no silver bullets: you must keep moving forward to stay ahead.

‍