Finding the Cracks in the Wall – The Hazard of Single Authentication Factor

The use of authentication factors, one of the most fundamental and well understood concepts in information security, enables secure access to applications, services, and networks. It can affect an enterprise’s security posture, however, as the drastic increase in data breaches and system attacks are largely based on compromised authentication.

Authentication factors are classified as follows: “something I know,” “something I have,” or “something I am.” For example, the most common factors in real life are website credentials as the something I know, mobile fingerprint authentication as the something I am, and a hardware security key as the something I have.

The most prevalent authentication method is user credentials, also known as username and password, which represents something we know. Credentials are commonly used to authenticate access to any online service, from accessing bank accounts or buying from an online retailer to accessing our company network. As credentials became more widely used, the attacks to steal or abuse this authentication method also increased and evolved. Most noticeable are credential abuse attacks using stolen credentials to try to compromise accounts, relying on users’  frequent habit of reusing their credentials on different services. 

The significant increase in data breaches we have seen over the past several years was primarily driven by stolen or compromised credentials. Compromised credentials provide threat actors the ability to launch internet-wide credential abuse attacks to hunt for accounts that are being accessed using the same credentials.

The amplification impact of these attacks is achieved by the use of dedicated tools that can be customized to the targeted login interface and the use of botnet and proxy services that distribute and hide the attackers’ origins.

noncompromised.jpg Figure: Number of daily credential abuse attempts in 2020

The figure shows the daily number of credential abuse attempts seen on the Akamai platform — the average number of credential abuse attempts in 2020 was more than 200 million attempts per day. In addition, looking into the yearly trend of attacks shows a continued increase in the number of attempts, which reached a peak of more than 600 million attempts at the end of September 2020. This continued increase in attacks represents threat actors’ increased motivation to own compromised accounts as a function of the increased demand to re-use stolen credentials, mainly those that are associated with media services. A similar and complementary impact on the threat landscape was also observed by Akamai’s threat research team over the same months in the phishing attacks in 2020, representing the increase in threat actor motivation to steal users’ credentials to later be used in credential abuse scams.     

As credential abuse attacks increased in the past few years, enterprises quickly realized that users’ credentials alone are insufficient to ensure the authenticity of the connected user, leading to the increased adoption of multi-factor authentication (MFA) architecture.

MFA enables the hardening of the user authentication process by using more than a single identification factor to reduce the risk of fraudulent and malicious activities. Each independent authentication factor gives more confidence in the authenticity of the connected user and reduces the risk of unauthorized access in the event one of those factors is stolen or lost.

Enterprises were the first to adopt MFA, as the potential damage of compromised accounts can result in a data breach, stolen intellectual property, and reputational damage.

Once more than one factor is being used, all the authentication factors need to be stolen or compromised in order for the unauthorized authentication to be successful. While such a scenario is harder to execute, a recent Akamai’s threat research publication shows that threat actors have now stepped up their game and can overcome even MFA.

The turning point for the more widespread adoption of MFA will be driven by the combination of scale and order of magnitude of the credentials abuse attacks and the potential damage and value of the compromised account.

Compromising an account that is protected by MFA is more challenging, but it is not impossible. In recent years, we have seen more and more scams leveraging victims’ mistakes and exploiting MFA weaknesses. This enables cybercriminals to execute sophisticated attacks against enterprises and allows individuals to execute fraud activities and steal sensitive data.

In the next blog post, I will cover the details of some of the most recently observed attacks, explain the most common MFA bypass methods, and discuss what can be done to improve users’ authentication and avoid unnecessary risk and the potential damage.

Learn more about Akamai’s multi-factor authentication solution at 

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Or Katz. Read the original post at:

Avatar photo

Or Katz

Or Katz is a Principal Lead Security Researcher at Akamai. Or is a frequent speaker at security conferences and has published numerous articles and white papers on threat intelligence and security defensive techniques. He began his research career in the early days of web application firewalls (WAFs) and he was OWASP Israel chapter lead between 2017 till 2019.

or-katz has 11 posts and counting.See all posts by or-katz