23 ways you can hack MFA solutions (Multi-Factor Authenication)

Table of Contents

Introduction

As cyberattacks become increasingly advanced and proficient at bypassing traditional authentication methods, adoption of multi-factor authentication (or MFA) solutions is fast becoming standard Identity and Access Management (or IAM) practice among organisations and individuals. Traditional single-factor authentication methods, such as the basic username and password combination, are becoming less and less effective at preventing security breaches and are on their way to becoming obsolete.

Years ago, MFA was typically only used by organisations that required the highest possible levels of security. In recent years, the adoption of MFA solutions has become much more widespread, with websites and services owned by huge companies like Microsoft, Google, and Facebook all implementing MFA solutions in their designs, either as the default or as an optional extra. Companies have reported significant increase in the ability to defend against common cyberattacks.

As MFA has become more popular, MFA solutions have also become less expensive. MFA tokens can often be purchased for only a few dollars for each device, meaning that MFA is a worthwhile investment for most organisations.

However, although the increased use of MFA is undoubtedly a great thing for cybersecurity, no authentication solution is 100% effective in all situations! Unfortunately, some advocates and vendors of MFA solutions tend to sell MFA as a magical solution that leaves users impervious to all cyberattacks, which can lull organisations into a partly false sense of security and lead them to neglect other vital security measures.

The truth is that although MFA is highly recommended and a significant improvement over traditional single-factor authentication, there are still ways for cyberattackers to hack MFA systems. In this guide, we will list the different ways that MFA systems can be hacked, and how you can defend against these attacks.

What is Multi-Factor Authentication?

Multi-factor authentication is a form of authentication where the user attempting to login to a service has to provide more than one verification of their identity in order to access the service. While single-factor authentication simply requires the user to input the correct username and password, an MFA solution requires one or more additional verifications.

Most MFA solutions are what is known as “two-factor authentication”, or 2FA. An example of 2FA is when, after a service has verified that the username and password are correct, an email is then sent to the user containing a link that grants access to the service. In other cases, a code (often known as a one-time password, or OTP) may be sent to the user via email or text message, which the user must then input in order to access the service. Some MFA solutions use more than two factors, and there are various other forms of verification that exist.

Before we explore the different ways that MFA solutions can be hacked, we will explain how MFA works in a little more detail and define some of the common terms that are used when describing MFA solutions.

Identity

When it comes to computing, the term “identity” refers to a unique label that is used to identify a user. This may be a username, an email address, or any other series of characters registered in that namespace.

Authentication processes all involve identities. An identity label is used to identify a user and must be created before the authentication process can take place. The creation of an identity and proof of ownership of that identity are two distinct and separate things, and both must be present in order for the identity label to be verified as belonging to that user. For example, face recognition may be used to prove a user’s ownership of an identity label, but the identity label itself is more likely to be a username, an email address, of a User Principal Name (or UPN).

Namespace

A “namespace” is a system that is used to collect and identify user identities and attributes. Examples of namespaces include Domain Naming System (or DNS), Lightweight Direct Access Protocol (or LDAP), and Microsoft Active Directory / Azure AD.

Authentication

“Authentication” is the term used to describe the overall process of a user’s identity being verified within a namespace, and the granting of the specific access permissions and privileges that are associated with that identity to the user.

Authentication Proofs

Authentication “proofs” (proof that a user has ownership of an identity that is stored in the namespace) are often kept in databases or registries that are stored on third-party servers, rather than stored by the service that the authentication process is granting or denying a user access to.

The storage locations of these authentication proofs are potential targets for cyberattacks, and therefore the security of these storage locations is critical. A secure storage location for authentication proofs should always involve the fewest possible number of administrators with full access and should also be constantly monitored and regularly audited. If authentication proofs are compromised in any way, the entire process of authentication is no longer secure or trustworthy.

Access Control Tokens / Tickets

An access control “token” (also often referred to as a “ticket”) is what is generated by a successful authentication and granted to that user’s identity. Access control tokens can be comprised of unique identifiers such as sequences of characters or can even be readable lists of information such as the access permissions of that specific user identity.

These tokens are not typically seen by the user and are instead implemented at the “back-end”. For example, on Microsoft Windows, access control tokens are usually created in the form of Kerberos tickets, NTLM tokens, or LM tokens. On other services and websites, tokens usually come in the form of HTML “cookies”.

Some access control tokens are only valid for a certain period of time, after which they expire, and the user must go through the authentication process again if they wish to retain access to the service. A common example of this is in online banking processes, where active user sessions “time-out” if a user does not interact with the webpage for a set amount of time. This feature is usually used to prevent unauthorised breach of access that happens when a user leaves their computer accessible to other people in a space such as a public library.

Authorisation

Authorisation is the step that takes place immediately after authentication. While authentication is the verification of a user’s identity, authorisation is the assigning of access permissions to that user. These permissions will have been previously determined before authentication takes place. Typically, access control tokens are automatically submitted by the program for authorisation. Once issued, an access control token is usually not checked for each subsequent attempt to access resources—the token itself is considered proof that the user has been authenticated.

For example, authorisation is the process that distinguishes a typical user from an administrator, or from a user of a service who has been specifically restricted from accessing specific resources.

Whatever methods of authentication are used, the access control token that is assigned to the user will be the same. The token itself is what grants access permissions, and the method of authentication (e.g., username and password, fingerprint, etc) is not sent around a network to be verified by individual platforms or services that the user is attempting to access. While this streamlines the authentication process, it also means that if access control tokens are compromised by cyberattackers, the method of authentication is irrelevant. The fact that systems use access control tokens as proof of authorisation without checking the authentication method means that these tokens are often illegitimately intercepted and used to hack MFA systems.

Servers and Clients

The process of authentication is typically carried out by two parties known as the server and the client. The server is the application that is authenticated to, and the client is the object that is authenticated to the server. However, some authenticating objects act as either a server or as a client, depending on the authentication process.

More than one server can also be involved in authentication, meaning that there can sometimes be several different authentications occurring at the same time. For example, in Kerberos, the client authenticates to the authentication server as well as to the target server.

One-Way Authentication and Two-Way Authentication

When either a client authenticates to a server, or vice versa, this is known as “one-way authentication”. However, if each authenticates to the other at the same time, this is known as “two-way authentication”, or sometimes as “mutual authentication”. The success of two-way authentication is dependent on both client and server authenticating successfully, otherwise, the authentication process will fail.

One-way authentication is much more common than two-way authentication. Web servers that use HTTPS use one-way authentication, with the server sending its HTTPS/TLS digital certificate to the client in order for the client to verify the server’s identity. With one-way authentication, the server proves its identity to the client, but not the other way around.

Authentication Factors

Authentication factors are what authentication processes require alongside a user’s identity in order to grant that user access to resources. An authentication factor is something that theoretically only that user knows or is able to provide. There are three main types of authentication factors— “Something You Know”, “Something You Have”, and “Something You Are”.

Something You Know: Examples of Something You Know include passwords, dot-connecting patterns, and PIN.

Something You Have: Examples of Something You Have include smartcards, USB tokens, dongles, and RFID transmitters.

Something You Are : Examples of Something You Are include fingerprints, biometrics, and retina scans.

Single-Factor Authentication vs. Multi-Factor Authentication

The reason that MFA increases the strength and efficiency of security systems is that it typically makes hacking into these systems significantly more difficult. If a hacker manages to obtain a password, then they are likely to be able to gain full access to a service that uses single-factor authentication. However, to gain full access to a service that uses an MFA solution, a hacker would need to obtain other authentication factors in addition to this. The chances of this happening are usually significantly lower than the chances of just one authentication factor being compromised, although it does still happen!

The most effective MFA solutions include multiple different types of factors. However, MFA solutions that simply use more than one instance of the same factor type are still generally more secure than single-factor authentication solutions.

In-Band and Out-of-Band Authentication Factors

Authentication factors are separated into two categories; in-band authentication and out-of-band authentication. In-band authentication factors are carried out using the same communication channel as that of the login method, whereas out-of-band authentication entails the authentication factor being sent over a different channel.

To put this into an example, using a password and an email verification code or link would be considered in-band authentication if the user carried out both factors on the same web browser. However, if a code was sent to the user’s mobile phone, this factor would be classed as out-of-band authentication. Out-of-band authentication is generally considered more secure, as sometimes entire devices can be hijacked or stolen and used to carry out multiple factors of in-band authentication.

How Can MFA Solutions Be Hacked?

Although MFA is more secure and less vulnerable to hacks than single-factor authentication is, there are still various different ways that MFA solutions can be hacked. MFA hacking methods tend to come under one of three different umbrellas; Social Engineering, Technical Attacks, and a combination of the two.

Social engineering involves manipulating the human element of the authentication process so that it is misused, whereas technical attacks refer to hacks of software or hardware themselves despite no mistake being made by any human user.

In this list, we will describe the different ways that MFA solutions can be hacked, and how you can defend against each type of hack.

1. Session Hijacking

Session hijacking is where a legitimate authentication takes place, but the session is then hijacked by a third party. This can happen because of the theft of an access control token, which is often achieved via email phishing, Session Unique Identifier Prediction (which we will cover in the next point), theft of a token via a network’s communication channels, or theft of a token on the end-point.

Session hijacking is one of the most prevalent types of authentication hacking and can be difficult for systems to detect due to the fact that there is often no evidence of a breach in security—to administrators, it simply appears as if the intended user has logged into the service.

2. Session Unique Identifier Prediction

Successful authentications to websites result in the user receiving a unique session token. This can come in the form of a "cookie" or a URL string, either of which will contain a unique identifier that verifies the user and grants them access.

However, weaknesses are possible when unique identifiers are predictable and can be guessed correctly by hackers. Sometimes hackers can predict these identifiers by signing into a website as multiple authenticated users, finding patterns or sequences in the identifiers, and using these to predict the identifiers of other users. A common way for sites and services to prevent this is to use randomly-generated identifiers.

3. Session Hijacking Proxy Attack

A Session Hijacking Proxy Attack is a form of Man-in-the-Middle (or MitM) attack. To carry out a Session Hijacking Proxy Attack, a hacker must get "between'' the server and the client. This can be achieved by using shared wireless networks such as those in public places, or it can be carried out remotely by sending phishing emails that link to fake proxy sites that steal user credentials. This can be achieved fairly easily even by inexperienced hackers by using hacking tools that can be easily downloaded online for free!

4. Faking Authentication

This type of hack does not require any kind of breach of the target website's security. Instead, the hacker directs the user to a fake site that disguises itself as the user's intended site and simulates the login process. When the user puts in their login details, the hacker then has possession of these details.

For example, the user is redirected by a site to an authenticator app. The app displays a code, which the user enters into the site. In this case, the fake site does not actually take the user's access control token, but can display fake error messages prompting the user to input additional security information such as password details, the answers to security questions, or even credit card information!

This common hack has been addressed by some MFA solutions by not sending a code unless the site itself is involved. Other ways that MFA solutions have addressed this include sending the user their location as well as the URL. This is so that users can potentially detect MitM attacks by checking that the location matches theirs. However, these methods can also be bypassed, and are often not used in the first place due to the increase in time taken to carry out the login process. Ultimately, because this type of hack is not a breach of the MFA solution itself, it can be hard to avoid.

Cyber criminal trying to hack MFA via fake website

5. Man-in-the-Endpoint Attacks

With Man-in-the-Endpoint attacks, the hacker manages to gain full admin access to a device. Like some of the other hacks on this list, this means that to the MFA system, the hacker is indistinguishable from the legitimate user.

6. Banking Trojans

If a hacker manages to gain access via a Man-in-the-Endpoint attack, they may be able to secretly start a hidden second browser session alongside the legitimate user's session. This can happen through the use of a form of malware called banking trojans, also known as "bancos trojans" as they often originate from South America. A banking trojan can enter a computer's system through outdated software or other methods typically used by malware.

A banking trojan scans a user's browsing sessions for keywords such as "bank" and similar terms. When it detects the use of these terms, it can monitor a user logging into financial institutions, and then change the user's contact details and use them to transfer that user's funds to a separate account.

The traditional method of combating this type of hack was the sending of authentication codes that only correspond to a specific financial transaction. However, banking trojans can still use these codes to carry out fraudulent transactions, and the bank will typically send the legitimate user an MFA code that corresponds to the fraudulent transaction open in the hidden browser session. The user, not knowing of the existence of this second session, will usually input this code, enabling the banking trojan to also use it.

Banking trojans were one of the first pieces of malware to adapt to MFA. However, banks often combat their use by sending users every detail of their transaction (e.g., location, amount of money, etc) rather than just a code without context.

7. MFA Software Modification

Any MFA solution requires a piece of software such as a program, interface, or API in order to work. In Microsoft Windows, for example, this interface is known as Cryptographic Service Providers (or CSP) or Key Storage Providers (or KSP). Hackers often target this software rather than the MFA solution itself, and change its settings so that the MFA solution is not even running. Although this type of attack is highly uncommon, a similar type of attack where network nodes are compromised and encryption keys stolen has been used by intelligence and law enforcement agencies.

8. MFA Hardware Modification

This type of modification by intelligence and law enforcement agencies is not just limited to software, but has also been used on physical hardware. For example, over 5 billion private encryption keys for mobile phone SIM cards were compromised by US and UK government agents at Gemalto, the world's largest manufacturer of SIM cards, in 2011. These SIM cards went on to be used to access MFA solutions by unwitting users.

9. SIM Swap Attacks

When people get a new mobile phone, most of the time they keep their existing SIM (Subscriber Identity Module) card and move it to their new device. Hackers have been taking advantage of this for many years now by gaining access to a legitimate user's SIM details and transferring them to different mobile devices.

There are many different ways to do this. One way is for the hacker to pretend to be the user and gain a mobile phone update or replacement from a physical store. This can also be carried out via the customer support service of the network provider. When a hacker manages to gain access to SIM details, this means that any text messages or phone calls intended for the legitimate user will be sent to the hacker's device. This often includes authentication factors such as OTPs!

While malicious SIM swaps happen frequently, for them to be used to hack into MFA systems typically requires the hacker to also gain access to additional information of the user, such as usernames and passwords. Because of this, this type of hack usually happens alongside, rather than instead of, other hacking methods on this list.

10. SMS Rogue Recovery

This type of attack is one of the more common types of MFA hack. The only thing that a hacker needs to gain access to in this case is a user's email address and phone number. These pieces of identifying information are some of the least difficult for hackers to gain access to.

SMS Rogue Recovery attacks usually happen a certain way. The hacker will send a text message to the user, pretending to be that user's email provider and prompting them to send back a verification code that has been sent in another message. Simultaneously, the hacker tries (and fails as they don't know the user's password) to sign into their email system, before choosing the password reset option that sends a verification code to the user.

The legitimate user receives the verification code in a text message from their email provider and sends it as a reply to the fraudulent message from the hacker. The hacker then uses this code to set their own password and gain full access to the user's account.

This can be defended against by users remaining vigilant and checking the number that these rogue recovery messages have come from. Other ways to reduce user vulnerability to this hack include limiting posting their phone number publicly, and recognising when recovery codes are intended to be typed into web browsers rather than into text messages.

Cyber criminal stealing data via mobile phone

11. Recovery Code Attacks

The most widely used MFA solutions from companies such as Microsoft and Google often have backup authentication methods which are significantly less secure than their primary authentication methods.

For example, if an MFA solution offers a backup method such as a code sent via email or text message, a hacker who has access to the user's email account or phone number can often simply pretend to the MFA service that they are unable to login using the primary authentication method.

12. Security Question Attacks

One common yet particularly insecure backup authentication method is the asking of security questions. Many websites even require the user to choose security questions to provide answers to which are used as verification of identity. Popular security questions include "what is your mother's maiden name" and "what was the name of the first pet that you had as a child?"

A research study by Google found that not only did almost half of users fail to remember their own recovery answers, but also that the answers to some common questions were able to be correctly guessed by hackers up to a fifth of the time! In addition to this, many answers can also be found in users' public social media profiles.

MFA solutions that use security questions as an authentication factor are best avoided. Thankfully, companies like Microsoft and Google have stopped using security questions. If you do have to use an MFA solution that uses security questions, a way to reduce the chance of your account being compromised is to avoid using true answers and instead use false ones which would never be guessed, and to make a note of the answers to these in a place that hackers would be unable to access.

13. Duplicate Code Generators

Many MFA solutions use OTPs, which are displayed by software such as Google's Authenticator app. These OTPs are uniquely identified and use a randomly generated "seed value". The seed value is the secret that is shared between the authentication app and the service that the user is attempting to access. Seed values are stored in databases which can be targeted by cyberattackers. If a hacker accesses this database, they can create a duplicate code generator for a user! Software that enables code generators to be emulated has been freely available online for two decades, and even highly secure companies like the aerospace and defence technology giant Lockheed Martin!

14. Shoulder Surfing

When MFA solutions use a secret such as a simple PIN or a picture-based puzzle (e.g., Microsoft Windows' "Picture Password" or Apple's "connect the dots" iPhone login screen), this can be vulnerable to one of the oldest forms of "hacking"—shoulder surfing. Shoulder surfing refers simply to physically looking over somebody's shoulder as they input login information on their screen. Passwords can also sometimes be guessed by observing a device such as a phone or computer keyboard and checking for fingerprints or increased patterns of wear on keys.

Although this alone cannot breach MFA systems, when combined with other hacking methods and the obtaining of other user information, it can be the missing piece of the puzzle needed for hackers to gain access. When choosing an MFA solution, software that uses these kinds of highly visual passwords that can be seen from afar is not recommended.

Cyber criminal trying to hack mfa by looking at someone type in their password

15. Skimming Attacks

You may have heard of "skimming" attacks being used to target physical ATM machines, where secret recording devices or cameras are installed discreetly by criminals into these machines and used to capture users' credit card information and PINs.

However, this problem is not just limited to physical cash machines—MFA solutions can also be hacked in this way by hackers installing similar technology into MFA devices, or hacking remotely using methods such as NFC or RFID skimming. Making sure that an MFA solution has anti-skimming technology and/or practices is the best way to defend against this type of attack.

16. Theft of Devices

In some cases, a computer or other physical device that is used to log into MFA systems may be stolen or otherwise gained access to by a hacker. Although having physical control of a device does not necessarily mean that the hacker knows the passwords or other authentication proofs needed to access resources, many people store this information in files on a device's internal memory. If this is the case, then a hacker in possession of the device may well be able to find these files and gain access to the resources that require these authentication proofs.

This can be defended against by making sure that security of physical devices is strong (e.g., that they are in locked rooms when not in use, and that burglar alarms are installed), as well as by avoiding storing these authentication proofs on the same device that is used to login to systems.

17. Tech Support Social Engineering

However robust a company's cybersecurity programs and measures are, there is still a vital human element that hackers can use to their advantage. Tech support workers can be targeted and fooled by cyberattackers in ways that they can be persuaded to share authentication information. This can happen by hackers impersonating the user and requesting their password as they have forgotten it, or by impersonation that employee's superior and demanding authorisation is bypassed in order to carry out a critical task.

Hackers that use social engineering often apply stress to an employee (often by falsifying stressful and urgent situations) in order to make them forget standard protocol. Reliable and secure MFA solutions will have measures and employee training programs in place to reduce the threat of tech support social engineering.

18. Subject Hijacking

Because MFA solutions are linked to unique identity labels such as email accounts, login names, or UPNs, these themselves can be targeted by hackers. If hackers are able to access the namespace itself, they can often modify an identity label to use for their own purposes.

For example, this attack could be carried out on Microsoft's Active Directory using a smartcard. If a hacker were able to switch the UPNs of a low-level administrator and a high-level administrator, they could then use the low-level administrator's smartcard to fool the system into believing that they were the high-level administrator. They could then carry out any activity they chose to on the namespace, before switching the UPNs back to normal and logging out.

Ultimately, the way to prevent this kind of attack is down to the company's internal procedures and security policies. Attributes should be protected as securely as any other authentication secrets.

19. Faked or Stolen Biometrics

Examples of biometric attributes include fingerprints, retina scans, faces, and other unique physical attributes. There are also action-based biometrics such as mouse clicks, signatures, and typing attributes such as time taken for a user to get from one key to another when typing.

Biometric attributes are actually not typically entirely unique and can also be forged. For example, fingerprints have been successfully recreated by gelatin and even tricked fingerprint scanners. Ultimately, fingerprint recognition technology is simply not yet advanced enough to be able to correctly identify users without also flagging up false-negatives due to constant tiny changes (e.g., sweat, abrasions, etc) of our fingertips.

In 2015, almost 6 million fingerprints, including those belonging to every person who had ever applied for any kind of US government security clearance, were stolen in a cyberattack. The number of biometric attributes, such as images of faces used by facial recognition systems, stored in databases makes these databases ripe targets for hacks. One of the drawbacks to the use of biometric attributes for MFA is that, unlike factors such as passwords and PINs, they cannot be simply changed at will!

MFA solutions that use biometrics are not necessarily to be entirely avoided, but it is recommended to use an MFA solution that also uses other authentication factors alongside this.

20. Bugs in MFA Software

One issue with MFA solutions that can also be an issue with any form of software is bugs in the code. After all, code is written by humans, and humans often make errors! While some bugs can be so small as to be inconsequential or even unnoticeable, other bugs can be serious enough that they compromise the entire security of an MFA system!

The most well-known MFA bug to date was probably the ROCA vulnerability of 2017. This bug led to over 100 million smartcards being shipped out with a serious vulnerability. Any RSA encryption key pairing that had been generated by the Infineon Technologies RSALib cipher library included this major vulnerability which allowed hackers to gain access to these keys!

When choosing a provider of an MFA solution, it is worth doing a bit of research into their bug minimisation procedures. Programming methods such as Security Development Lifecycle (or SDL), which is used by many leading providers of MFA solutions, usually decrease the chances of bugs such as these being created.

21. Brute Force Attacks

An attack known as a "brute force" attack is one where persistence is used as the hacker's main weapon. MFA solutions that use "Something You Know" authentication factors like PINs or passwords are particularly vulnerable to these attacks. To carry out a brute force attack, a hacker simply tries repeatedly to guess this information correctly until they often succeed.

Although many sites and services only allow a limited number of incorrect guesses before an account is temporarily "locked", some MFA solutions do not have this feature. When choosing an MFA solution, it is probably best to opt for one that features account lockout or rate-throttling (e.g., "please try again in 3 minutes" messages) features.

22. Cold Boot Attacks

The term "cold boot attacks" encompasses a range of different methods that are used to capture keys stored on databases. Some of these methods involve exploiting weaknesses of physical hardware such as chips that are involved in the process of keeping these keys secure.

An example of this is when a device's internal memory stores a copy of the unencrypted version of a key. Attackers can literally "freeze" the internal memory of devices using cold compressed air and then install these components on other computers where the key could then be extracted!

A useful step to take in order to defend against cold boot attacks is to use MFA solutions that utilise at least two different types of authentication factors so that one single piece of hardware does not offer hackers everything they need to gain access to a system.

23. Electron Microscope Attacks

Perhaps the most technologically advanced and difficult to combat hack is when attackers literally use technology such as an Electron Microscope to discover encryption keys stored on chips or devices. Unfortunately, there is no currently-known way of defending against this kind of attack, either with or without an MFA solution! Thankfully, this form of attack is extremely rare.

How You Can Defend Against Attacks on Your MFA System

Thankfully, there are plenty of things that you can do to defend against potential attacks of your MFA system. These defence procedures tend to fall under one of two different categories—social defences and technical defences, which we will now explore in more detail.

Social Defenses

Social defenses entail training any and all users and administrators of your MFA system to be vigilant against social engineering hacks, and setting robust and rigid security policies in place. Remaining vigilant includes thinking before clicking on any kind of unfamiliar link, checking URLs of sites that are visited, and (most importantly) not allowing your trust in the security of MFA to cause you to neglect common sense security procedures!

Another factor to consider is what kind of defenses against social engineering your chosen MFA provider’s tech support team has—does the company have a policy regarding this?

Technical Defenses

There are many factors involving technology itself that can be used to defend against common MFA hacks. The first step to take is to make sure that you and any other users of a system choose to enable MFA in the first place! Some authentication systems simply offer MFA as an optional extra. It is always worth enabling MFA if you have the option to.

However, not all MFA solutions are created equal. MFA solutions that use SMS-based authentication factors are best avoided if possible. When it comes to the number of different authentication factors, more is usually better! Solutions that use two-way authentication (such as FIDO U2F's Channel or Token Binding) are also preferable to solutions that only use one-way authentication. Solutions that use SDL in their programming are usually preferable to those that do not, and solutions that incorporate rate-throttling and account lockout features are preferable to those that do not.

Different authentication factors are also most effective when spread across different bands, and when services offer financial transactions, systems that send the user all of the important details out-of-band before any confirmation is made are the most secure.

Conclusion

As we can see, MFA certainly isn’t immune to hacks. There is no such thing as a 100% hack-proof authentication system. While the MFA hacks on this list are certainly worth being aware of if you are considering either using or implementing an MFA solution, you shouldn’t be dissuaded from choosing to use MFA. Although MFA solutions can be hacked, MFA is still much more secure than traditional single-factor authentication.

Many of the potential security issues with MFA solutions can be overcome by establishing a strong security policy in your organisation and ensuring that all users are sufficiently trained in how to use authentication systems safely and securely. Keeping up to date on the latest developments in cybersecurity is also highly recommended, especially if you are responsible for implementing and running an authentication system.

How Overt Software Solutions Can Implement a Top-Quality MFA Solution?

Overt Software Solutions provide secure and high-quality MFA solutions to institutions and businesses all over the world. Overt have many years of experience in providing access management solutions, cloud computing, and learning management systems to educational institutions and many other types of organisations.

Overt’s MFA solution runs on the popular and trusted Shibboleth open-source access management software, and is fully integrated and fully compatible with Overt’s Shibboleth IdP (Identity Provider) product. It also features its own authenticator app which you can customise with your organisation’s branding, and is supported by OTP, FIDO, U2, Push Authentication, Google+, and Microsoft Authenticator. What’s more; it also includes a handy self-service password reset function that can significantly reduce the number of calls to your organisation’s support staff!

Overt MFA can also be hosted either onsite on your own infrastructure, or hosted in the cloud in a state-of-the-art data centre.

Not only can Overt install a first-rate MFA solution for your institution, but their team of highly qualified engineers and experts can provide quality tech support and excellent customer service from 9-5 (UK time) via telephone and 24/7 via their online support portal.

SEE OVERT'S MFA PRODUCTS

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
tve_leads_unique	1 month	This cookie is set by the provider Thrive Themes. This cookie is used to know which optin form the visitor has filled out when subscribing a newsletter.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
c3po.jpg	Session	This pixel tracker, set by metricool.com, collects data on the user’s navigation and behaviour on the website. This is used to compile statistical reports and heatmaps for the website owner.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook as part of their embedded services on our websites (likes, sharing etc.).
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
ClientId	1 year	No description available.
li_gc	2 years	No description
OIDC	6 months	No description available.
OutlookSession	session	No description available.
tl_1206_1206_4	1 month	No description
tl_544_544_1	1 month	No description