Rublon

Secure Remote Access

By

Last updated on April 23, 2024

MFA Bypass means authorized or unauthorized bypassing of MFA authentication on a user account. A bypassed user can gain access to an application or website after completing only one step of authentication, which usually equals providing the correct password.

Bypassing can be both intended and unintended. Both administrators and users can choose to bypass MFA for various reasons. Unfortunately, hackers can also try to bypass MFA authentication to hack into accounts and gain unauthorized access to data.

How Does MFA Bypass Work?

MFA Bypass downgrades Multi-Factor Authentication (MFA) to Single-Factor Authentication (SFA).

Multi-Factor Authentication (MFA) involves the user going through two steps:

  • First Authentication Factor: Most often asks users to enter the correct password.
  • Second Authentication Factor: Asks users to demonstrate an extra identity proof, for example, to accept a Mobile Push authentication request.

When MFA is on, a user must complete both factors to gain access. Failure to complete one or more of these factors results in the user getting denied.

Image showing how bypass doesn't require the second authentication factor

However, when a user gets bypassed, MFA does not fire off, and the log-in process falls back to standard password-based authentication. In other words, the user only has to complete the first authentication factor (which usually defaults to a password) while skipping the second authentication factor.

It is important to note that we can only talk about MFA Bypass when a system, application, or website employs a Multi-Factor Authentication solution. If a service does not use MFA at all, and all users can access their accounts after only entering their password, then the system uses Single-Factor Authentication (SFA).

Why Does MFA Bypass Happen?

Here are some of the most common reasons why MFA is bypassed.

1. Remembered Devices

Some websites and applications allow users to temporarily turn off MFA as long as consecutive login attempts happen on the same computer or mobile device. In companies that enabled MFA organization-wide, administrators can decide how long a user’s device will be remembered. When you log in to an application, ask the system to remember you on that device. From now on, all your logins require only a password. After a set time has passed, the system will again start asking you for MFA authentication. Advanced MFA systems like Rublon allow remembering the user on a device, but also give administrators the capability to turn off trusted devices altogether.

2. Security Policies

When Policy-Based Access Control (PBAC) or Adaptive Authentication is enabled, a security system enforces policies. These policies might bypass users who use an IP address within a given range or belong to a given group. Administrators often assign security policies based on perceived security risks associated with each application. MFA Bypass is a common practice for trusted users with little privileges. Nevertheless, you should bypass users with caution. MFA is the strongest wall of defense against hackers. Removing it significantly decreases the safety of your users and the overall safeguards of your company.

3. MFA Is Off

From the user’s point of view, it might be hard to tell whether MFA has been bypassed or if it is off altogether. Indeed, a good MFA solution should bypass the user but still perform necessary background security control checks. Still, administrators should be able to look up the authentication logs with clear information on whether a given user has been bypassed. Authentication logs provide transparency and clearly inform where and how your users authenticate into protected applications.

4. Enrollment Settings

User enrollment is of paramount importance to your organization’s security. One of several possible enrollment options some MFA solutions provide is to bypass all unknown users and allow them to sign in to your applications and services without undergoing MFA. Although good for testing purposes and comfortable for administrators, who do not have to accept users manually or investigate why the user has been denied, bypassing unknown users comes with a major security risk all administrators should be aware of before enabling this option. It effectively enforces MFA on all your known users while letting all unknown actors right in. The unknown actor only has to know the password to gain access.

5. Malicious Activity

Although most of the time bypassing has nothing to do with nefarious or malicious activity, the harsh reality of cyberattacks is that hackers often try to turn off MFA instead of compromising it. Should a hacker succeed in disabling MFA protection, they only have to break a password to gain access to an account. We recommend you use the most secure authentication methods:

  1. WebAuthn/U2F Security Key
  2. Mobile Push with additional biometric lock enabled on your phone

Even though even the most secure MFA cannot completely eliminate the likelihood of a human error, social engineering is much less successful when people use strong authentication methods.

Why Does Rublon Bypass MFA?

Using Rublon and would like to know why you or your users are getting bypassed? Here are the most common reasons why Rublon bypasses users.

Have questions about bypass or MFA? Contact Rublon Support.