Multi-Factor Verification Fail: Single MFA Token Utilized to Gain Access to All Accounts

August 18, 2018


Multi-factor authentication can assist to safeguard accounts and defend against phishing attacks. If an accurate username and password combo is obtained, without the second factor (e.g. SMS message, token, appliance, or electronic mail address) the account can’t be accessed.

As the lately discovered data breach at Reddit showed, multi-factor verification isn’t a silver bullet. Reddit used SMS messages to a user’s mobile phone as the second factor, but for one worker the SMS message was interrupted and used to gain access to an account and a database of user’s identifications.

There have been several data breaches informed where multi-factor authentication failed to obstruct account access, even though a lately found weakness has made sidestepping multi-factor verification far simpler.

Andrew Lee of Okta found a weakness in Microsoft’s Active Directory Federation Services (ADFS) which lets MFA to be sidestepped on all accounts using a single MFA token. If a username and password are known, an account can be accessed even without the MFA token for that account.

The weakness affects all companies that use ADFS to handle identities and resources, and third-party MFA sellers that provide an agent for ADFS to MFA.

All that is needed is a username, password, and useable MFA token for one account. By using the weakness that MFA token can be used to access a second account on the same Active Directory service if the username and password are known. Those identifications might easily be obtained through phishing.

This weakness would be easiest to abuse by a worker who would already have a username, password and MFA token.

The reason this is possible is since ADFS was not checking to make certain that the identifications entered matched the MFA token. During verification, the server sends an encrypted context log which is properly signed and encrypted. That log has the MFA token, but not the username, so it’s not possible to verify that the token is being used by the right person.

Lee said the fault is easy to rectify. Microsoft would only require to include the username in the signed data of the MFA context log.

The rectification has now been made. Microsoft patched ADFS and rectified the fault in its Patch Tuesday updates on August 14. All businesses are being advised to apply the patch as soon as possible to rectify the MFA fault.