Multi-Factor 身份验证 Basics and How MFA Can Be Hacked.

多因素身份验证总是优于单因素身份验证,但它 不是unhackable. 这是为什么.

Get the Whitepaper

Multi-Factor 身份验证 Defined

Multi-Factor 身份验证 (MFA) is the process of a user or device providing two or more 不同的 types of proofs of control associated with a 具体的 digital identity, 以便获得对关联权限的访问权, 权利, 特权, and 会员资格. Two-Factor 身份验证 (2FA) implies that exactly two proofs are required for a successful 身份验证, and is a subset of MFA.  

No MFA Solution is Unhackable

Most companies that use MFA are still successfully hacked.” — Roger 格里姆斯, 2018


Contrary to popular belief, all multi-factor 身份验证 mechanisms can be compromised, and in some cases, 这很简单,只要送一个传统的 网络钓鱼 电子邮件. 

Decades of successful attacks against single-factor 身份验证 methods, like login names and passwords, are driving a growing large-scale movement to more secure, multi-factor 身份验证 (MFA) solutions in both corporate environments and by websites everywhere. This trend is exemplified by the fact that over the last few years, 最受欢迎的网站和服务, including those owned by 谷歌, 微软, 脸谱网, 和推特, 为客户提供MFA解决方案. Many internet sites and services now offer both traditional login name/password solutions and more secure, MFA选项.

Some large companies like 谷歌 are reporting great success in defending against some common hacking attacks by moving their user base from single-factor to multi-factor 身份验证. MFA solutions are supported by default in the most popular operating systems, and additional MFA solutions are offered by hundreds of third-party vendors. 通用的开放MFA标准,如由 狗联盟, are being widely adopted.

MFA was previously used (mostly) for organizations and websites needing the highest security assurance. 今天, MFA tokens are being offered or used by ordinary organizations and websites, and MFA tokens can be purchased as low as a few dollars per device. Many consumers trust the security of MFA solutions so much that they are purchasing and using MFA, when possible and allowed, 在所有允许的网站和服务上.

的 broader adoption of MFA is a positive development for computer defenses and will defeat many of the threats that would otherwise be more readily successful against single-factor 身份验证 solutions. All other things considered equal, all admins and users should consider and use MFA solutions instead of single-factor 身份验证 solutions to protect sensitive data.

说了这么多, the ability of MFA to reduce computer security risk has been overstated by many vendors and proponents, leading to a misunderstanding that the application of MFA means all attacks that were successful against single-factor 身份验证 cannot be successful against MFA. 例如, many MFA admins and users believe that 电子邮件 网络钓鱼 is no longer a threat because users cannot be phished out of their login credentials. This is not true.

While MFA does reduce, and in some cases, 显著降低特定计算机安全风险, most of the attacks that could be successful against single-factor 身份验证 can also be successful against MFA solutions. 的re are over a dozen ways to attack 不同的 MFA solutions. Often, a single MFA solution is susceptible to multiple exploitation methods.



找出您组织的MFA解决方案 can be hacked by the bad guys now!

Roger 格里姆斯解释了为何MFA解决方案并不总是以你所期望的方式发挥作用. Run your free 多因素认证安全评估 (MASA) to find out the exact security risks of your MFA solution before the bad guys do!

Start My Assessment!


Everyone knows that multi-factor 身份验证 (MFA) is more secure than a simple login name and password, 但是太多的人认为MFA是完美的, unhackable solution. 它不是!
 罗杰一. 格里姆斯, KnowBe4的数据驱动国防布道者, 也是有三十多年经验的安全专家, 在本次网络研讨会中,他将探讨 12 ways hackers can and do get around your favorite MFA solution.

在本次网络研讨会上,KnowBe4的首席黑客官展示了一个(事先拍摄好的)黑客演示 凯文·米特尼克 以及各种攻击类型在现实生活中的成功案例. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security.
看 的 Webinar Now!

看 的 Webinar

Multi-Factor 身份验证 Basics

身份验证 Basics

身份验证是主体的过程.g., user, device, group, service, etc.)来证明一个特定身份的所有权.


登录屏幕标识是标识特定主题的任何惟一(对于涉及的名称空间)标签. 标识通常由登录名(例如. johnd), 电子邮件地址 (ex., or unique series of characters, but can be any unique, previously agreed upon, label within the same namespace.

A namespace is an organized system to help collect, identify, and locate 具体的  实体及其相关属性. 常用的名称空间有域名命名系统(DNS), 微软 Active Directory, LDAP (Lightweight Direct Access Protocol)数据库. 名称空间可以为每个主题包含多个标识标签(例如, Active Directory can use DNS, LDAP, 电子邮件地址, and User Principal Name (UPN), 但是每个标签在同一个名称空间中必须是唯一的,并且只能表示一个主题.

All 身份验证 and access control steps involve one or more identities. 所有的身份验证都涉及到一个身份标签, which uniquely identifies the subject doing the 身份验证. 身份必须在初始身份验证过程之前或作为其中的一部分创建. 该标识应该与用来证明标识的所有权的标识不同. 例如, in 微软 Windows, although a subject might use a fingerprint to authenticate (i.e., prove ownership of the identity), the label attached to an 身份验证 attempt will probably be the user’s Active Directory login name, 他们的隐喻, or their 电子邮件地址. 的 identity label is very important in the 身份验证 process.


身份验证 is the process of a subject proving proof of (sole) ownership of an 身份验证 identity within a namespace in order for the identity and its associated 权限, 会员资格, 权利, and 特权, 在与该名称空间相关的访问控制授权操作中使用.

身份和身份的所有权证明必须在之前, hopefully securely, stored in at least one location (e.g.、表、数据库、注册表条目等.),以应付未来的身份验证挑战. 的 storage of the 身份验证 proofs is often not stored on the server/service/site directly involved in the 身份验证 and is instead stored on third-party server/service/sites involved in the 身份验证, 双方(服务器和客户端)信任哪一方.

每个存储位置都是一个潜在的攻击矢量,以损害身份验证. 任何使用身份验证的人都应该考虑身份验证证明存储在哪里, who has access to those locations, and how trustworthy the storage of those credentials should be considered. Storage of 身份验证 secrets should always be restricted to the bare essential number of administrators and aggressively monitored and audited. 如果身份验证秘密被泄露, 身份验证过程不再是完全可信的.

认证可以成功,也可以不成功. 只有成功的、合法的身份验证才会导致下一个过程.

2-Factor 身份验证 Diagram

Access Control Token

After a successful 身份验证, 在大多数情况下, the access control process then associates an access control object (e.g., token, ticket, etc.) to the tested identity. What this access control token contains varies by system and protocol. In some systems, 它可能只包含另一个唯一标识符, 如一系列的数字或字符. In other systems, 它可以包含组成员关系列表, 权限, 特权, and other needed information.

的 token may or may not have a predetermined maximum lifetime, which upon expiration, forces the subject to re-authenticate to remain in an “active” session. In 微软 Windows, an access control token may arrive in the form of a Kerberos ticket 或者一个 NTLM or LM token. On websites and services, most access control tokens are represented by an HTML cookie, which is a simple text file.


授权 is the process of comparing the now successfully authenticated subject’s access control token against previously permissioned/secured resources to determine the subject’s access to those objects. 在大多数情况下, 一旦主体被授予访问控制令牌, the subject (or in reality, a process or program on behalf of the subject) submits the access control token for authorization and the subject does not need to reauthenticate until the expiration of the token. 一旦发出了访问控制令牌, 身份验证 is not tested for each and every authorization access attempt. 拥有访问控制令牌被认为是身份验证成功的证明.



无论一个人是如何成功验证身份的, be it simple password, 生物识别技术, 或多因素身份验证令牌, 身份验证成功后, the 身份验证 token assigned to the identity is usually the same for all 身份验证 methods and often bares little resemblance to the 身份验证 method used. 

例如,假设一个主语使用他/她 指纹 登录到Windows和活动目录使用他/她的笔记本电脑和笔记本电脑的内置 指纹 扫描仪. 身份验证过程在本地笔记本电脑上进行. 笔记本电脑的 指纹 recognition and 身份验证 software and hardware combination successfully authenticate the user. At that point, the user’s 指纹 is no longer used anymore. 的 指纹 is not sent around the network to be involved in access control operations. 用户的 指纹 没有被复制或发送到另一台联网的计算机,因此用户可以访问文件或文件夹.

Instead, once the user has been successfully authenticated using his/her 指纹 (or other 身份验证 method), Windows操作系统会发给他们一个Kerberos票据或NTLM或LM令牌. 用户(或者更准确地说,写出来的)会得到这样的票据或令牌, 代表用户的进程或程序)使用所有访问控制授权. And if an attacker can get their hands on the access control token, 他们不在乎你的身份认证. Possession of the token, from legitimate means or not, is usually treated by authorization processes the same as if the holder of that token successfully authenticated. 的 authorization process does not have a way of knowing whether or not the current holder of that access control token was the legitimate user or ever successfully authenticated. 这一关键事实经常被黑客用来破坏多因素身份验证.

This same concept applies more generally to the entire 身份验证 process. Attackers exploiting 身份验证 often look for weaknesses in implementations along the entire process. 的y will look to see if there are gaps in the linkages between the identity, 身份验证, 还有授权,这是常有的事.

Get the Full 电子书

12 Ways MFA EBook


Get your copy of the full 41-page 电子书 for everything you need to know about multi-factor 身份验证 including the information listed here, as well as a deep dive on the dozens of ways it can be hacked. 另外,你还可以得到一些建议,让你的组织免受坏人的伤害.


单向vs. Two-Way 身份验证

身份验证 is normally conducted between two or more parties, often referred to as the server (the object/application/process being authenticated to) and client (the object 身份验证 to the server) and can be one-way or two-way. Many authenticating objects can act as both a server or a client depending on the reason for authenticating. 这就是说,物理服务器并不总是充当服务器,反之亦然. Additional servers may be involved in the 身份验证 process, 因此,在单个身份验证事件期间可能会发生多个身份验证. A good example of that is Kerberos, where the client must authenticate to the Kerberos 身份验证 server as well as the intended target server.

Most 身份验证 is one-way, 意思是客户端向服务器进行身份验证,或者服务器向客户端进行身份验证, but the opposite is not true, 至少在同一认证事件中. 一个非常常见的例子就是使用HTTPS的web服务器. When HTTPS is involved, web服务器上存在HTTPS/TLS数字证书, 链接到它的身份(通常是它的DNS地址). 当客户端通过HTTPS协议连接web服务器时, the server sends its HTTPS digital certificate to the client, to prove its identity and to secure an encrypted channel in which to generate symmetric keying material. 客户端接收到web服务器的HTTPS数字证书,并验证证书的可信度. 如果成功, the client will trust the server to be the server it says it is (based on the subject’s identity). In one-way 身份验证, 客户端不向服务器证明其身份, 至少在同一事务中.

与双向, “mutual” 身份验证, both the client and server authenticate to each other as part of the same 身份验证 process. 如果一方故障,另一方也会自动故障.

身份验证 Factors

Proof of ownership of an identity is made by a subject supplying the identity and one or more 身份验证 factors. 身份验证因素是只有主体知道或能够提供的东西, and by doing so, 证明已验证身份的唯一所有权. 一般来说,认证因子只有三种基本类型,被广泛称为:


Something You Know

密码, PIN, Connect the Dots, etc.


Something You Have



Something You Are


你有时会听说MFA解决方案有三个以上的因素(e.g., 摘要), 但这些解决方案指的是同一三个因素的多个实例. In order for the factors to be most protective in an MFA solution, the factors should be 不同的.

One-Factor to Multi-Factor

Yubikey的 concept is that the use of two or three of these factors makes a hacker’s job more difficult. 例如, 黑客也许能骗出你的密码, but it will take additional effort to also steal your hardware token if that is used in a MFA solution. Or if a malicious individual picks up your MFA hardware token, it would be useless to him/her if he/she did not also have your associated PIN that is required to use it.

的re are single-factor hardware solutions that look like an MFA solution, 但不需要额外的因素. 例如, 现有版本的谷歌安全密钥™和Yubikeys™, 可以用于单因素还是多因素. In their one-factor implementations, 这意味着如果一个人发现了那些硬件设备, if he/she is not otherwise secured, 这意味着他/她可以使用它们并接管与令牌相关的数字身份. It might be more difficult for a hacker to obtain another person’s single-factor hardware token than 网络钓鱼 him/her out of a password online, but once obtained, 这将意味着身份的立即妥协. All other things being equal, MFA is always better than single-factor 身份验证 for better security, although MFA is rarely universally allowed across all scenarios.

Although MFA solutions should always strive to require multiple factor types, even multiple instances of the same type of factor can improve security over single-factor 身份验证 solutions. 然而, multiple uses of the same 身份验证 factor IS NOT equivalent to the security given by additional 身份验证 factor types. 例如, if a user is required to use both a password and a PIN to login (both the same type of 身份验证 factor (“Something You Know”), then he/she can be phished out of both almost as readily as one. It’s the additional factor types that provide the most protection because they require that the hacker do something completely 不同的 in order to be successful.

带内和. Out-of-Band 身份验证

身份验证 factors can be considered in-band or out-of-band.

In-band 身份验证

In-Band 身份验证

"In-band" means that the 身份验证 factor being used is conducted over the same communications channel as the primary login method.

Out-of-band 身份验证

Out-of-Band 身份验证

"Out-of-band" is when the 身份验证 factor is being sent over a channel 不同的 than the primary login channel.

例如, if you’re trying to login to an internet service application and you are required to type in a password and a password recovery answer within the same browser, 这被认为是同一因素的两个实例, 两个带内. If, 然而, you are required to type in a password on your computer and also a second PIN code that was sent to your external cell phone, 第二个因素被认为是带外.

甚至更好的, if you are required to respond to both separate band 身份验证 factors ONLY in those channels, and they aren’t “cross-channel” (i.e., 身份验证 factor sent to you out-of-band can only be responded to in the same band as the other factor), 然后它提供了更多的安全保障. 在同一设备上发送的身份验证因素, even if in 不同的 channels, are not considered as secure as 身份验证 methods using 不同的 渠道在 不同的 设备.

随着独立认证因素和通信频带数量的增加, 也, does security assurance. In most scenarios, 使用MFA解决方案只能提高安全性, and MFA should be used where and when it makes sense to do so. Unfortunately, not all 身份验证 scenarios allow MFA, and often times not the same MFA solution. At least for now, 在许多场景中,用户仍然需要使用单因素身份验证方法.

Even when MFA is allowed and used, it can be hacked, sometimes just as easily as single-factor 身份验证 solutions. MFA是好的, but don’t look at it as the holy grail of security assurance. 这是一个提高安全性的好工具, but there is a huge difference between MFA improving security assurance and MFA being unhackable. Understanding the difference is crucial to all entities and security administrators relying on MFA solutions. 关键是不要过度依赖MFA作为安全救星.

从这个角度来看,大多数使用MFA解决方案的公司仍然会遭到黑客攻击. This is because the most popular reasons for being compromised (e.g., social engineeringMFA并不能完全缓解客户端攻击、未打补丁的软件和编码错误. MFA can reduce, sometimes significantly, some forms of hacking. But if the companies involved don’t put down the biggest reasons why they are successfully hacked, then MFA will not prevent the hackers and malware from being successful. MFA是好的, but it is just one piece of a big puzzle to solve.

MFA本身并不能让一家公司“不可入侵”. 事实上,MFA本身并不是不可破解的.

Hacking Multi-Factor 身份验证

有十多种方法可以破解MFA解决方案. 其中一些攻击已经成功地用于对付数百万受mfa保护的用户. 每种特定类型的MFA解决方案都容易受到多种黑客方法的影响. 的re simply is no MFA solution that can’t be hacked, multiple ways. 任何声称他们的解决方案不可破解的人要么是在骗你,要么是在naïve. 不管怎样,你都不想和他们做生意. 有一些MFA方法对黑客或特定类型的黑客更有弹性. Although 在大多数情况下, 作为一个MFA变得不那么容易受到黑客攻击, 最终用户使用起来就越困难. 安全 is always a usability-security trade-off, and MFA Is no 不同的. 许多人错误地认为,他们使用MFA设备使他们无法被入侵. 没有什么比这更远离事实的了.  

General Ways to Hack MFA

When thinking about how MFA solutions are hacked there are four general ways: Social Engineering, 技术, Physical Attack, 和混合.

Social Engineering MFA Hacks

Social Engineering

Social engineering refers to the involved human element using the MFA solution inadvertently in a way that results in its bypass or misuse.

技术 Manipulation MFA Hacks

技术 Manipulation

技术 manipulation refers to the methods of exploitation and manipulation that did not require that the human user make a mistake.

Physical MFA Attacks

Physical Attacks

Physical attacks involve things like copying 指纹s and directly access secret keys on a key fob using an electron microscope.

混合ed MFA Hacks


Many MFA hacking methods require a 混合物 of two or more methods, 尽管绝大多数都需要社会工程和技术攻击.

要查看这些不同类型黑客的详细示例和解释,请下载 电子书 或者看 网络研讨会.

看 this demo by 凯文·米特尼克 with an example of a mixed attack that uses social engineering and technical methods to perform a session hijacking:

不管黑客手段是什么, they are attempts at taking advantage of weaknesses between the steps of 身份验证: identity, 身份验证 secret storage, 身份验证, or authorization. 这些攻击是恶意中断, 修改, 或者对其中一个或多个步骤的错误表述或者在这些步骤之间的转换.

Note: Often times an MFA solution provider will defend their solution against a successful demonstrated hack by saying that their MFA solution, 本身, 没有失败. 虽然这在技术上可能是正确的, MFA解决方案最终不会在无菌的实验室中进行测试,那里只有直接攻击才算数. If the MFA solution fails the user f或者一个y reason, in the user’s mind, the MFA solution has failed. 的y doesn’t care so much about the details of whether or not the MFA solution 本身 was technically responsible.

How To Defend Against MFA Attacks

Social Defenses

  • Realize nothing, including any MFA solution, is unhackable
  • 将MFA黑客意识集成到您的 security awareness training
  • 与同事和管理层共享这些数据
  • 不要被骗点击流氓链接
  • 尽可能屏蔽非法链接
  • 确保你的用户在点击之前知道一个URL是合法的,看看这个 Social Engineering Red Flags 检查表

技术 Defenses

  • 尽可能启用所需的MFA
  • 尽可能不要使用基于短信的MFA
  • 使用“1:1”MFA解决方案,这需要客户端预先注册到服务器
  • Use/required two-way, mutual, 身份验证 whenever possible (ex. FIDO U2F通道或令牌绑定)
  • 您的MFA解决方案是否专门打击会话令牌盗窃和/或恶意重放? (i.e., replay resistant)
  • Can your MFA vendor’s support help be socially engineered?
  • 确保MFA供应商在他们的编程中使用安全的开发生命周期(SDL)
  • Make sure MFA has “bad attempt throttling” or “account lockout” enabled
  • Spread factors across 不同的 “channels” or “bands” (in-band/out-band)
  • 保护和审核MFA用于MFA登录的唯一标识的身份属性
  • Don’t answer password reset questions using honest answers
  • Encourage and use sites and services that use dynamic 身份验证, where additional factors are requested for higher risk circumstances
  • 理解“共享秘密”系统的风险
  • For transaction-based 身份验证, 在确认发送/需要之前,需要将所有关键细节发送给用户


  • MFA isn't unhackable.
  • MFA does not prevent 网络钓鱼 or social engineering from being successful.
  • MFA是好的. Everyone should use it when they can, but it isn't unbreakable.
  • If you use or consider going to MFA, 十大电子游戏平台仍然是你整体安全防御的一个重要部分.




Find out how hackable your MFA is now so you can take action to better protect your users and organization. MASA利用Roger 格里姆斯的直接专业知识. With 30+ years in computer security and MFA risk assessments, 就像有了自己的专家顾问!

Start My Assessment!



罗杰一. 格里姆斯, KnowBe4的数据驱动国防布道者, will explore 12 ways hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code to run. 此外,他还将分享KnowBe4首席黑客官凯文·米特尼克(凯文·米特尼克)制作的(事先录制好的)黑客演示.

看 the Webinar

12 Ways MFA EBook


All multi-factor 身份验证 (MFA) mechanisms can be compromised, and in some cases, 这就像发送传统的钓鱼邮件一样简单. 想知道如何防御MFA黑客? This 电子书 covers over a dozen 不同的 ways to hack various types of MFA and how to defend against those attacks.


Hacking In 的 News

[On-Demand Webinar] When Cybercriminals Hide in Plain Sight: Hacking Platforms You Know and Trust

今天’s hackers are concealing their attacks in places you wouldn’t expect… utilizing tools your users know and trust to deliver their malicious payloads. From hijacked single sign-on apps, to weaponized calendar invites, and even malicious office printer...

[Heads Up] 的 Bad Guys Have Likely Hacked Your Exchange Email Server

What if Chinese state-sponsored hackers have owned your OWA using several brand-new zero-day vulns? Or Eastern Europe ransomware gangs?  3月2日, 微软 released emergency security updates to plug four security holes in Exchange Server versions 2013...

Someone Hacked 的 Four Top Russian Cybercrime Forums In One Month

勇敢的网络安全调查记者布莱恩·克雷布斯有一些有趣的消息. He said: "Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have be...


Subscribe to CyberheistNews

友情链接: 1 2 3 4 5 6 7 8 9 10