When 23andMe, the popular genetic data gathering and sharing organization, was breached in November of 2023, the threat actors responsible gained initial access by launching a credential stuffing attack.
The attack, which involved hackers using credential stuffing, or entering known passwords and emails to see if a combination would work, only succeeded due to a lack of multi-factor authentication (MFA) in place in the compromised account. At the time, it was optional for 23andMe users to implement MFA on their accounts. It has since become a required feature.
This breach highlights two intersecting trends in the cyber world: The rise of credential- and identity-based attacks, and how critical a simple access control like MFA can be to the success or failure of these attacks.
What is Multi-Factor Authentication?
Multi-factor authentication is an access control that adds a layer of security to application logins and user access by asking users to verify their identity beyond the typical username and password combination. As the name suggests, this control involves multiple forms of authentication, which are commonly something you have, such as a token or a mobile device; something you know, such as the answer to a security question or secondary password; or something you are, such as your fingerprint or another biometric trait.
Say a user is logging into a web application used by their employer. The first screen would prompt them to input a username and password. If those are correct, it would then prompt a secondary form of authentication, such as asking the user to verify that it was them logging in through a phone application. Then the user would have to answer a security question. Only then, once these supplemental steps have been taken, will access be granted.
Types of Multi-factor Authentication
Multi-factor authentication can come in many forms if it follows the criteria listed above. Common forms of MFA include:
- Biometrics such as a fingerprint of face scan (like the face scan used by recent models of iPhones to unlock devices)
- Authenticator applications, which are third-party applications like Okta that a user must access to authenticate their identity
- Hardware tokens, physical devices, or software tokens which require an action for authentication
- Knowledge factors, which can be secondary passwords or security questions that can only be answered by the user
- Links or verification codes that are sent to an email account or mobile device and must be clicked for authentication
A common example of MFA is when a user logs into their Google account and are then prompted to open their YouTube application and verify their login through YouTube — a form of a software token.
A trend in MFA, which can introduce new risks, is outsourcing these authentication forms to third parties. If an authentication application like Google Authenticate were breached, the hackers could be able to access accounts that rely on that application for MFA.
While there are multiple kinds of MFA authentication types, it should be noted that MFA is not that same as two-factor authentication (2FA), nor is it the same as single -sign- on (SSO). 2FA is a form of MFA, but not all MFA is 2FA, as 2FA only requires two forms of authentication and verification, whereas MFA can involve more than two. SSO is an access management tool where a user can access multiple applications through a centralized hub that contains just a single set of credentials. MFA should be used with SSO to ensure proper access control to any application that falls under the SSO hub.
The Security Importance of Multi-Factor Authentication
Multi-factor authentication plays a critical role in identity and access security by basically pausing access until it can be verified. It’s often referred to as table stakes when it comes to identity and access management (IAM) best practices and is a crucial piece of security for organizations looking to follow a zero trust strategy within their environment.
The value of MFA has only increased in recent years as identity-based attacks trend upward. To put that trend into numbers:
- 39% of non-BEC incidents investigated by Arctic Wolf in 2023 involved an attacker using credentials to log into an exposed application
- There was a 71% increase in attacks using valid credentials from 2022-2023, according to IBM
- 76% of social engineering attacks resulted in compromised credentials, according to Verizon
- 90% of organizations have experienced at least one identity breach in the past 12 months, according to the Identity Defined Security Alliance
The reason identities are becoming top targets is multi-faceted. One reason is the rise of cloud-first environments that prioritize web applications such as SaaS applications, and another is the rise of remote or hybrid work where stationary desktops protected by firewalls are no longer the norm.
Another reason is that threat actors know that to gain initial access to a network or gain privileged access, they need credentials. If they can obtain these credentials — through social engineering, the dark web, or another means — MFA instantly stops their progress. It would be like unlocking and opening a door only to find a brick wall behind it. MFA stops all movement and shrinks the attack surface.
Where MFA Falls Short: MFA Fatigue Attacks
While multi-factor authentication should absolutely be implemented across an organization’s environment, like all measures it is only one part of a holistic defense, and it’s not impenetrable.
In recent years, threat actors have figured out ways to get around MFA, including popular MFA fatigue attacks.
MFA fatigue attacks involve a threat actor prompting an MFA authentication (such as pinging an authentication application) repeatedly, in hopes the user will become overwhelmed or confused and verify the access. This kind of attack is also called prompt-bombing, push-bombing, or notification fatigue.
Additionally, social engineering isn’t just used to gain credentials. A threat actor could pose as an IT professional or some other source and ask a user to verify an authentication request for them.
Threat actors can use other tactics to bypass MFA, such as man-in-the-middle attacks, a technical attack where the threat actor puts themselves between a user and a legitimate login page through a malicious proxy server, allowing them to capture credentials and modify access. They can also utilize token theft, where they steal the session cookie on an endpoint that reads credentials as authenticated (session cookies are the reason users don’t have to keep logging back in if they’re on the same endpoint or browser).
These kinds of work- arounds show that while MFA should be table stakes, organizations can’t rely on it alone to protect themselves from a cyber attack. MFA should be implemented alongside other zero trust best practices, strong password hygiene, identity threat detection and response (ITDR), and user awareness training that reduces the human risk that’s directly tied to identity attacks.
Learn more about how a robust security awareness training program can help your organization combat identity-based attacks.
See how Arctic Wolf partners with Okta to better protect your identity sources from threats.
