Sign in / up

Reply to post: O365's MFA is very, very weak

2FA? We've heard of it: White hats weirded out by lack of account security in enterprise

Anonymous Coward
Anonymous Coward

O365's MFA is very, very weak

Most of the phishing attempts I see are aimed at O365, and without MFA it's really trivially easy for an attack to persuade SOMEONE in the organisation to let them in.

As far as I can tell, out-of-the-box there are four options.

1) An MFA phone call, where Microsoft's automated systems ring you on a predefined number and you have to press "#" to let them in. This is the simplest and by far the most worthless level of MFA they offer. Users get so used to authorising MFA that they'll happily do it when it's the Lads from Lagos logging in. Worse still, I've seen the MFA call go to hunt groups and really anything can happen then.

2) A push notification to an Authenticator app. A tiny bit better than a phone call, but I believe it can be used even when the phone is locked, the phone also needs access to a data network. Still quite easy to authorise an attacker without thinking about it.

3) A text message. A bit better because it isn't quite so easy to authorise the attackers accidentally, but it does require the phone to have a signal when you want to log on. Works with dumb phones, but on most devices these days the SMS message can be read with the phone locked, so an attacker with physical access to the phone can easily see it. Or they can hijack the SIM. Or they can simply phish for the MFA token as well in real time or use an evil proxy. However, random MFA SMS messages arriving is a good sign that something is wrong.

4) An RSA-style access token from the authenticator app. Unlike the first two "push" notifications where it's quite possible to authorise an attacker accidentally, you actually have to enter this into the login screen. Potentially you could install malware on the phone to subvert this, but by far the simplest method around it is to phish for the token and then the attacker can log in within the time window the token is still valid, through an evil proxy for example.

So the problem with installing any one of these MFA techniques is that they'll only keep you safe-ish, and as more people migrate to them then the attackers will be more sophisticated too. I've certainly seen several successful phishes bypassing the first type of MFA. I don't think the others will be far behind.

It's not a reason not to install MFA though. Even if it just blocks 90% of harvested credential attacks, it's a damned sight better than none.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon