MFA Bypass has become a hot-button issue in the cybersecurity industry. MFA bypass occurs when fraudsters successfully avoid undergoing MFA authentication and can log in after completing just one single authentication step (generally entering the correct password). This means that while legitimate customers are undergoing MFA flows, fraudsters have the ability to skip them altogether. I recently spoke with Bill Fish, Prove’s VP of Authentication, about what companies can do to prevent MFA bypass and protect themselves from this growing security threat.

The interview has been edited for brevity and clarity.
‍

How do fraudsters bypass authenticators? 

Bill: There are many ways fraudsters can bypass authenticators but here are three of the most common methods:

1. When trusted IP addresses are used as part of an MFA framework, fraudsters may spoof or otherwise manipulate their IPs to mimic a legitimate user.
2. Interception of an OTP to take over a user's account: this can be achieved through social engineering or SIM swaps.
3. By attacking a "trusted" system that already has an authenticated session, the fraudster can piggyback off of a legitimate session to gain access.

What is Prove's role in preventing MFA bypass? 

Bill: Here are a few of the most powerful ways Prove can prevent MFA bypass from taking place: 

1. By leveraging cryptographic keys on the device with Prove Auth™, Prove avoids relying solely on evaluating risk through ever-changing signals. This is important in authenticating via "something you have," as you don't have to guess whether the user has the device or not.
2. When relying on telecom infrastructure via SMS OTP, Prove provides signals that help increase the confidence in using the mobile number as a proof of possession check. Trust Score™ will look at telecom network level signals to provide insight into whether to trust that the phone number is still controlled by the legitimate user.
3. When using a cryptographic key on the device, Prove removes the barrier of additional cost to protect the user. There is no longer a need to maintain long authenticated session times as you can check the validity of the key anytime, without having to trade off the cost of protecting your customer.
4. Mobile Auth and Instant Link do not have any OTP to intercept. The same is true when there is a cryptographic key bound to the phone.
5. Push notifications allow for more secure authentication in secondary channel experiences. By leveraging your mobile app, more context for the transactions can be provided to users to help avoid social engineering (e.g., you are attempting to send $10,000 to Mary Lou, with a session initiated in Boise, Idaho).

What should individuals look for when purchasing a solution to protect against MFA bypass?

Bill: Many companies will "bootstrap" authentication devices with an existing username and password. This makes the new "strong" authenticator only as good as the UN/PW, and the user is no more secure as a result. Prove recommends our PRO model of Possession, Reputation, and Ownership, which allows the new, encrypted keys to inherit the high level of confidence Prove is able to generate.

When using a mobile phone as a second factor, using a cryptographic key on that device will be the best way to have confidence in the MFA. The first time that device is seen, there should also be checks to make sure that the phone number can be trusted before establishing those keys.

Strong binding helps not only to establish the multi-factor credential the first time a user shows up but also is needed when the user changes phones. That happens every couple of years on average for a user, so handling that change will be critical. Prove's strong binding makes that process painless.
‍

Conclusion

Fraudsters are leveraging the MFA Bypass technique at unprecedented rates, posing a major threat to companies. In order to fortify against MFA bypass and prevent fraud, companies can leverage Prove’s cryptographic authentication technology without compromising the user experience. 

Want to prevent MFA Bypass? Speak to a fraud expert.

‍