Blog

What Is MFA Bypass Fraud?

Post by:
Fitzwilliam Anderson
September 1, 2022
Post by:
No items found.
September 1, 2022
What Is MFA Bypass Fraud?

MFA Bypass has become a hot-button issue in the cybersecurity industry. MFA bypass occurs when fraudsters successfully avoid undergoing MFA authentication and can log in after completing just one single authentication step (generally entering the correct password). This means that while legitimate customers are undergoing MFA flows, fraudsters have the ability to skip them altogether. I recently spoke with Bill Fish, Prove’s VP of Authentication, about what companies can do to prevent MFA bypass and protect themselves from this growing security threat.

The interview has been edited for brevity and clarity.

How do fraudsters bypass authenticators? 

Bill: There are many ways fraudsters can bypass authenticators but here are three of the most common methods:

  1. When trusted IP addresses are used as part of an MFA framework, fraudsters may spoof or otherwise manipulate their IPs to mimic a legitimate user.
  2. Interception of an OTP to take over a user's account: this can be achieved through social engineering or SIM swaps.
  3. By attacking a "trusted" system that already has an authenticated session, the fraudster can piggyback off of a legitimate session to gain access.

What is Prove's role in preventing MFA bypass? 

Bill: Here are a few of the most powerful ways Prove can prevent MFA bypass from taking place: 

  1. By leveraging cryptographic keys on the device with Prove Auth™, Prove avoids relying solely on evaluating risk through ever-changing signals. This is important in authenticating via "something you have," as you don't have to guess whether the user has the device or not.
  2. When relying on telecom infrastructure via SMS OTP, Prove provides signals that help increase the confidence in using the mobile number as a proof of possession check. Trust Score™ will look at telecom network level signals to provide insight into whether to trust that the phone number is still controlled by the legitimate user.
  3. When using a cryptographic key on the device, Prove removes the barrier of additional cost to protect the user. There is no longer a need to maintain long authenticated session times as you can check the validity of the key anytime, without having to trade off the cost of protecting your customer.
  4. Mobile Auth and Instant Link do not have any OTP to intercept. The same is true when there is a cryptographic key bound to the phone.
  5. Push notifications allow for more secure authentication in secondary channel experiences. By leveraging your mobile app, more context for the transactions can be provided to users to help avoid social engineering (e.g., you are attempting to send $10,000 to Mary Lou, with a session initiated in Boise, Idaho).

What should individuals look for when purchasing a solution to protect against MFA bypass?

Bill: Many companies will "bootstrap" authentication devices with an existing username and password. This makes the new "strong" authenticator only as good as the UN/PW, and the user is no more secure as a result. Prove recommends our PRO model of Possession, Reputation, and Ownership, which allows the new, encrypted keys to inherit the high level of confidence Prove is able to generate.

When using a mobile phone as a second factor, using a cryptographic key on that device will be the best way to have confidence in the MFA. The first time that device is seen, there should also be checks to make sure that the phone number can be trusted before establishing those keys.

Strong binding helps not only to establish the multi-factor credential the first time a user shows up but also is needed when the user changes phones. That happens every couple of years on average for a user, so handling that change will be critical. Prove's strong binding makes that process painless.

Conclusion

Fraudsters are leveraging the MFA Bypass technique at unprecedented rates, posing a major threat to companies. In order to fortify against MFA bypass and prevent fraud, companies can leverage Prove’s cryptographic authentication technology without compromising the user experience. 

Want to prevent MFA Bypass? Speak to a fraud expert.

Create secure frictionless customer experiences using modern identity solutions

Join over 1,000 businesses that rely on Prove across multiple industries, including banking, FinTech, healthcare, insurance, and e-commerce. Contact us today.

Keep Reading...Read our latest white-paper on this subject!

Tap the button below to read our latest white-paper on the subject as industry leaders.

Accelerate your onboarding

Contact us to learn how leading companies are using Prove Pre-Fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.

Create frictionless customer experiences

Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.

Schedule a demo

Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.

Schedule a demo

Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.

Interested in more information about Prove Pre-Fill?

Download Aite-Novarica Group’s full report about Prove Pre-Fill, including a product overview, customer results, and how the product works.

Interested in more information about MFA?

Download the guide now to learn how you can improve security, cut down on fraud, and create the best possible customer experience.