How MFA is Bypassed: Attacker in the Endpoint


Hi, I'm Joshua from Beyond Identity and we should talk about attacker in the endpoint attacks on MFA. This attack method is used to bypass legacy MFA, and continues to be a popular cyber attack. An attacker-in-the-endpoint attack utilizes a remote access Trojan, or a bad program a bad actor tricks a user into installing. A user can easily download a suspicious file, or more likely a tainted web browser extension containing this Trojan.

Once a bad actor manages to compromise the system, they can install the Trojan, which will monitor the user's activities. Now, suppose the user logs into their bank account. Once the user gets past MFA, the malicious software will run a hidden browser session in the background. The bad actor will then use this to move money from the user's bank account to the bad actor's account.

It's called an attacker-in-the-endpoint attack because the attacker has to gain access to the victim's system to carry it out. MFA has been successfully bypassed, and the attacker makes off with the users funds. In addition to phishing-resistant MFA, organizations need to complement this strong MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals like group membership, IP location information, and device security posture, among others.

With Beyond Identity there are no passwords, or phishable factors for that matter. Should an attacker try to use this method to steal credentials, they wouldn't be able to. And Beyond Identity's crowning achievement is our robust risk-based policy engine and continuous authentication. With Beyond Identity, you can set a list of security policies a device must meet for the authentication to be approved. The policy engine can evaluate for things like, if the firewall is enabled, whether the operating system is up-to-date, and when and where a user is logging in from. If a device does not meet these policies, the authentication will be unsuccessful, and you can even automatically quarantine that device.

After the initial authentication, Beyond Identity automatically checks that the device remains within policy as frequently as every 10 minutes, re-validating the device security in the background, without any added friction to the user. A truly invisible, continuous authentication experience. With Beyond Identity you are always verifying and never trusting. Let us take on your burden of authentication, and help you lay down your foundation for your zero trust architecture.