MFA Matters… But It Isn’t Enough on Its Own

MFA matters… But it isn’t enough on its own

Unprotected usernames and passwords offer little defense against account takeover attacks. Multi-factor authentication (MFA) has quite rightly become the de facto standard for strengthening access controls. Yet even the best MFA implementations leave a critical gap: weak, reused, or compromised passwords. When an attacker bypasses or circumvents MFA—whether by tricking a user into approving a push notification or exploiting a fallback—those same poor passwords become the attacker’s key to your systems.

That’s why a layered approach to identity security must include both robust password hygiene and MFA on every login point. Despite its strengths, MFA is not a silver bullet and it can be bypassed. Overreliance on it can lull organizations into complacency around the most basic authentication factor: the password. If that password is weak, reused, or already known to attackers, they’re one step closer to breaching your perimeter.

Key Insights into the Limits of MFA

This news analysis highlights several critical implications:

• The MGM Resorts Hack as a Case Study: The major hack on MGM Resorts in September 2023 serves as a textbook example of how attackers can bypass MFA using social engineering. The attackers, allegedly the Scattered Spider group, obtained a valid employee username and password. They then called the help desk, impersonated the employee, and convinced a help desk employee to change the employee’s password and disable their MFA. This allowed the attackers to gain access to the company’s network, which led to a catastrophic shutdown of its casino and hotel operations.
• Five Tactics Attackers Use to Bypass MFA: Attackers are using a variety of sophisticated and evasive tactics to bypass MFA. These include:
  • MFA fatigue attacks: By triggering dozens of push notifications in quick succession, attackers wear down victims until they approve “just to make it stop.”
  • SIM swap & SMS hijack: Defaulting to SMS-based one-time codes exposes users to mobile-network attacks that hand control of the second factor over to the adversary.
  • Social engineering at the help desk: Impersonating a locked-out user, an attacker convinces support staff to disable MFA or reset credentials, often using nothing more than a plausible story.
  • Session hijacking & token theft: Cookies and session tokens can be intercepted or stolen through malware and man-in-the-middle exploits, letting attackers bypass both passwords and MFA.
  • Exploiting backup methods: Forgotten-password questions, recovery codes, and email resets frequently lack the rigor of primary MFA channels, creating alternative pathways into accounts.
• The Importance of Password Hygiene: According to research from a key authority on cybersecurity, NIST, a layered security approach must combine MFA with strong password policies. NIST’s guidelines recommend the use of strong passwords, including passphrases and a minimum length of 15 characters, to defend against brute-force attacks. They also recommend that organizations block known-compromised credentials to prevent users from choosing passwords that have already appeared in data leaks.
• Layering Strong Passwords and MFA: No single control can stop every attack. By pairing comprehensive password defenses with robust MFA on every critical system (Windows logon, VPNs, remote desktop, cloud portals, and more) you create multiple hurdles for adversaries to overcome. Even if one layer is bypassed, others remain to block or detect the intrusion.

Critical Mitigation Strategies for a Resilient Authentication Strategy

In response to this security threat, immediate and robust mitigation efforts are essential:

• Enable and Harden MFA: If you haven’t already, this is the obvious place to start. Consider a simple, effective MFA solution that can protect Windows Logon, VPNs, and RDP connections.
• Enforce Strong Password Policies: Require at least 15 characters, as length offers the best protection against brute-force techniques. Passphrases are the best way to get users to create strong, long passwords. It is also critical to integrate real-time checks against breach-compiled lists to prevent users from choosing passwords that have already appeared in data leaks.
• Protect Your Service Desk: Enforce a secondary MFA challenge to confirm the identity of anyone contacting your service desk. This is a crucial step to prevent social engineering attacks from bypassing your security controls.
• Monitor for Unusual Login Patterns: Combine password and MFA logs to detect anomalies—like logins from unfamiliar locations or devices—and trigger step-up authentication when needed. This is a critical step in building a resilient security posture and preventing future breaches.

Need Further Assistance?

If you have any further questions regarding this critical incident, suspect your personal data or your organization’s sensitive information may be compromised, or require advanced cyber threat intelligence and dark web monitoring services, you are encouraged to use the ‘Ask to Analyst’ feature to consult with a real expert, contact Brinztech directly, or, if you find the information irrelevant, open a support ticket for additional assistance.