Multi-Factor Certification Fail: Single MFA Token Used to Gain Access to All Accounts

August 18, 2018

Multi-factor certification can assist to safeguard accounts and defend against phishing attacks. If an accurate username and password combo is obtained, without the second factor (e.g. SMS message, token, appliance, or electronic mail address) the account can’t be retrieved.
As the lately discovered data breach at Reddit showed, multi-factor certification is not a silver bullet. Reddit used SMS messages to a user’s mobile phone as the second factor, but for one worker the SMS message was interrupted and used to gain access to an account and a database of user’s identifications.
There have been several data breaches informed where multi-factor certification failed to halt account access, even though a lately found weakness has made bypassing multi-factor certification far easier.
Andrew Lee of Okta found a weakness in Microsoft’s Active Directory Federation Services (ADFS) which lets MFA to be bypassed on all accounts using a single MFA token. If a username and a password are known, an account can be retrieved even without the MFA token for that account.
The weakness affects all companies that use ADFS to administer identities and resources, and third-party MFA sellers that provide an agent for ADFS to MFA.
All that is required is a username, password, and legal MFA token for one account. By abusing the weakness that MFA token can be used to access a second account on the same Active Directory service if the username and password are known. Those identifications might easily be obtained through phishing.
This weakness would be easiest to abuse by a worker who would already have a username, password and MFA token.
The reason this is possible is since ADFS was not checking to make certain that the identifications entered matched the MFA token. During certification, the server sends an encrypted context log which is properly signed and encrypted. That log has the MFA token, but not the username, therefore it’s not possible to check that the token is being used by the correct person.
Lee said the mistake is easy to rectify. Microsoft would only require to include the username in the signed data of the MFA context log.
The rectification has now been made. Microsoft patched ADFS and rectified the mistake in its Patch Tuesday updates on August 14. All firms are being urged to apply the patch as soon as possible to remedy the MFA mistake.