Multi-factor authentication is stronger than single-factor authentication, but not all MFA is phishing-resistant. One method of potential MFA compromise involves the use of device prompting as the second factor. In the device-prompt scenario, the user is presented with a pop-up window on their cell phone, asking “Are you signing in?”. Be aware of the following method used to bypass MFA with the phone prompt option. Consider this example scenario, leading to Google account compromise:
- The legitimate user receives an email phishing attempt.
- The user clicks a link in the email, which takes them to a fake login page for Google.
- The fake login page passes credentials entered by the user to the scammer/scam software.
- The valid users’ credentials are used to sign the scammer into Google.
- Google then sends the legitimate user a prompt on their cell phone to verify that they are signing in. The user believes they are signing in, so they click to confirm the login on their phone. This gives the scammer full access to the user’s Google account.
After an account compromise such as this example, to secure the account, suspend the account, revoke all sign-in cookies for the user, and then initiate a password change. The organization’s cyber incident response process should be followed to investigate, respond and recover from an account compromise.
To prevent future account compromise, weigh the convenience vs safety of any allowed method of authentication including multi-factor options and ensure users are familiar with attackers’ strategies to circumvent MFA. For protection of sensitive accounts and data consider phishing resistant passkeys instead of MFA with passwords.