From 165588881aebad6ffd114d5830fd37f260af8ae8 Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Mon, 22 Jun 2026 15:35:35 +0100 Subject: [PATCH 01/15] Add Modern MFA Attack Patterns and Mitigations Section This update adds a new subsection covering modern MFA bypass techniques, including: - Real-Time Phishing (AiTM) - SIM Swap & Phone Number Takeover - Token Theft & Session Hijacking - Device Binding Bypass - MFA Downgrade Attacks (OAuth/SSO) Each attack pattern includes concise mitigations and authoritative references from NIST, CISA, Microsoft, Google, FIDO Alliance, Trusted Computing Group, and Apple. The section aligns with current industry guidance on phishing-resistant MFA, device attestation, and assurance-level enforcement. No existing content was modified outside this new subsection. --- .../Multifactor_Authentication_Cheat_Sheet.md | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index 28564f1839..d8d91108e0 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -369,6 +369,61 @@ The are a number of common types of biometrics that are used, including: - If compromised, biometric data can be difficult to change. - Hardware may be vulnerable to additional attack vectors. +## Modern MFA Attack Patterns and Mitigations + +### MFA Fatigue Attacks (Push Notification Bombing) + +Attackers spam MFA push notifications hoping the user approves one out of annoyance or accidental interaction. + +**Mitigations:** + +- Enforce **Number Matching** / Challenge-Response to break the "Approve" loop ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). +- Strictly rate-limit and lock out MFA prompts after repeated unapproved attempts ([OWASP ASVS v4.0](https://owasp.org/www-project-application-security-verification-standard/)). + +### Real-Time Phishing (Adversary-in-the-Middle / AiTM) + +Attackers use reverse-proxy tools (e.g., Evilginx) to intercept credentials and standard MFA tokens (SMS, TOTP) in real-time. + +**Mitigations:** + +- Mandate **Phishing-Resistant MFA** (FIDO2 / WebAuthn) which cryptographically binds the authentication to the origin URL ([CISA Phishing Guidance](https://www.cisa.gov/sites/default/files/2025-03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf)). +- Implement risk-based authentication to block known VPN/proxy IP spaces and impossible travel ([CISA Multi-Factor Authentication Guidance](https://www.cisa.gov/mfa)). + +### SIM Swap & Phone Number Takeover + +Attackers socially engineer telecoms to transfer a victim's number, intercepting out-of-band SMS or voice MFA codes. + +**Mitigations:** + +- **Deprecate Telephony MFA** for high-privilege accounts ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). +- Default to TOTP authenticator apps or FIDO2 hardware keys. + +### Token Theft & Session Hijacking + +Attackers use infostealer malware or XSS to steal post-authentication session cookies/tokens, bypassing the MFA layer entirely. + +**Mitigations:** + +- Implement **Continuous Access Evaluation (CAE)** with short-lived tokens ([Microsoft CAE Documentation](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation)). +- Enforce strict cookie flags (`HttpOnly`, `Secure`, `SameSite=Strict`) and bind sessions to device hardware (Token Binding). + +### Device Binding Bypass + +Attackers extract cryptographic keys or clone device fingerprints to spoof a "trusted device" and bypass MFA prompts. + +**Mitigations:** + +- Store device identity keys strictly in non-exportable hardware modules (TPM or Secure Enclave). +- Require OS-level platform attestation (e.g., Android Play Integrity, iOS DeviceCheck) before granting access. + +### MFA Downgrade Attacks (OAuth/SSO) + +Attackers manipulate the authentication flow to fall back from strong MFA (e.g., WebAuthn) to weaker, legacy channels (e.g., SMS). + +**Mitigations:** + + - Completely disable legacy authentication endpoints (e.g., basic auth, older WS-Trust). + - Enforce strict conditional access policies that forbid fallback to lower-assurance methods for privileged accounts. ## Somewhere You Are Location-based authentication is based on the user's physical location. It is sometimes argued that location is used when deciding whether or not to require MFA (as discussed [above](#when-to-require-mfa)) however this is effectively the same as considering it to be a factor in its own right. Two prominent examples of this are the [Conditional Access Policies](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview) available in Microsoft Azure, and the [Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) functionality in BitLocker. From 01de012774a6c4cf506830c58e8221f87e841f23 Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Mon, 22 Jun 2026 15:46:58 +0100 Subject: [PATCH 02/15] Update Multifactor_Authentication_Cheat_Sheet.md --- cheatsheets/Multifactor_Authentication_Cheat_Sheet.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index d8d91108e0..bfa81b872a 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -422,8 +422,8 @@ Attackers manipulate the authentication flow to fall back from strong MFA (e.g., **Mitigations:** - - Completely disable legacy authentication endpoints (e.g., basic auth, older WS-Trust). - - Enforce strict conditional access policies that forbid fallback to lower-assurance methods for privileged accounts. +- Completely disable legacy authentication endpoints (e.g., basic auth, older WS-Trust). +- Enforce strict conditional access policies that forbid fallback to lower-assurance methods for privileged accounts. ## Somewhere You Are Location-based authentication is based on the user's physical location. It is sometimes argued that location is used when deciding whether or not to require MFA (as discussed [above](#when-to-require-mfa)) however this is effectively the same as considering it to be a factor in its own right. Two prominent examples of this are the [Conditional Access Policies](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview) available in Microsoft Azure, and the [Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) functionality in BitLocker. From b037d37bfe729568e0f074e312b0f3177a7499a7 Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Mon, 22 Jun 2026 15:51:24 +0100 Subject: [PATCH 03/15] Update Multifactor_Authentication_Cheat_Sheet.md --- cheatsheets/Multifactor_Authentication_Cheat_Sheet.md | 1 + 1 file changed, 1 insertion(+) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index bfa81b872a..abb5c4c74c 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -424,6 +424,7 @@ Attackers manipulate the authentication flow to fall back from strong MFA (e.g., - Completely disable legacy authentication endpoints (e.g., basic auth, older WS-Trust). - Enforce strict conditional access policies that forbid fallback to lower-assurance methods for privileged accounts. + ## Somewhere You Are Location-based authentication is based on the user's physical location. It is sometimes argued that location is used when deciding whether or not to require MFA (as discussed [above](#when-to-require-mfa)) however this is effectively the same as considering it to be a factor in its own right. Two prominent examples of this are the [Conditional Access Policies](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview) available in Microsoft Azure, and the [Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) functionality in BitLocker. From 5eabbbb6cfa57112bff5b4c570816ab1f237a851 Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Mon, 22 Jun 2026 15:56:00 +0100 Subject: [PATCH 04/15] Update Multifactor_Authentication_Cheat_Sheet.md --- cheatsheets/Multifactor_Authentication_Cheat_Sheet.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index abb5c4c74c..f19bf8aedb 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -395,7 +395,7 @@ Attackers socially engineer telecoms to transfer a victim's number, intercepting **Mitigations:** -- **Deprecate Telephony MFA** for high-privilege accounts ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). +- **Deprecate Telephony MFA** for high-privilege accounts ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html). - Default to TOTP authenticator apps or FIDO2 hardware keys. ### Token Theft & Session Hijacking @@ -404,7 +404,7 @@ Attackers use infostealer malware or XSS to steal post-authentication session co **Mitigations:** -- Implement **Continuous Access Evaluation (CAE)** with short-lived tokens ([Microsoft CAE Documentation](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation)). +- Implement **Continuous Access Evaluation (CAE)** with short-lived tokens ([Microsoft CAE Documentation](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation). - Enforce strict cookie flags (`HttpOnly`, `Secure`, `SameSite=Strict`) and bind sessions to device hardware (Token Binding). ### Device Binding Bypass From f0a63e1b28bbe2fe1dde43eba8b4cac771c873d7 Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Mon, 22 Jun 2026 16:03:51 +0100 Subject: [PATCH 05/15] Update Multifactor_Authentication_Cheat_Sheet.md --- .../Multifactor_Authentication_Cheat_Sheet.md | 20 ++++--------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index f19bf8aedb..23ecbd958a 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -372,59 +372,47 @@ The are a number of common types of biometrics that are used, including: ## Modern MFA Attack Patterns and Mitigations ### MFA Fatigue Attacks (Push Notification Bombing) - Attackers spam MFA push notifications hoping the user approves one out of annoyance or accidental interaction. **Mitigations:** - - Enforce **Number Matching** / Challenge-Response to break the "Approve" loop ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). - Strictly rate-limit and lock out MFA prompts after repeated unapproved attempts ([OWASP ASVS v4.0](https://owasp.org/www-project-application-security-verification-standard/)). ### Real-Time Phishing (Adversary-in-the-Middle / AiTM) - Attackers use reverse-proxy tools (e.g., Evilginx) to intercept credentials and standard MFA tokens (SMS, TOTP) in real-time. **Mitigations:** - - Mandate **Phishing-Resistant MFA** (FIDO2 / WebAuthn) which cryptographically binds the authentication to the origin URL ([CISA Phishing Guidance](https://www.cisa.gov/sites/default/files/2025-03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf)). - Implement risk-based authentication to block known VPN/proxy IP spaces and impossible travel ([CISA Multi-Factor Authentication Guidance](https://www.cisa.gov/mfa)). ### SIM Swap & Phone Number Takeover - Attackers socially engineer telecoms to transfer a victim's number, intercepting out-of-band SMS or voice MFA codes. **Mitigations:** - -- **Deprecate Telephony MFA** for high-privilege accounts ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html). +- **Deprecate Telephony MFA** for high-privilege accounts ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). - Default to TOTP authenticator apps or FIDO2 hardware keys. ### Token Theft & Session Hijacking - Attackers use infostealer malware or XSS to steal post-authentication session cookies/tokens, bypassing the MFA layer entirely. **Mitigations:** - -- Implement **Continuous Access Evaluation (CAE)** with short-lived tokens ([Microsoft CAE Documentation](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation). -- Enforce strict cookie flags (`HttpOnly`, `Secure`, `SameSite=Strict`) and bind sessions to device hardware (Token Binding). +- Implement **Continuous Access Evaluation (CAE)** with short-lived tokens ([Microsoft CAE Documentation](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation)). +- Enforce strict cookie flags (`HttpOnly`, `Secure`, `SameSite=Strict`) and bind sessions to device hardware. ### Device Binding Bypass - Attackers extract cryptographic keys or clone device fingerprints to spoof a "trusted device" and bypass MFA prompts. **Mitigations:** - - Store device identity keys strictly in non-exportable hardware modules (TPM or Secure Enclave). - Require OS-level platform attestation (e.g., Android Play Integrity, iOS DeviceCheck) before granting access. ### MFA Downgrade Attacks (OAuth/SSO) - Attackers manipulate the authentication flow to fall back from strong MFA (e.g., WebAuthn) to weaker, legacy channels (e.g., SMS). **Mitigations:** - - Completely disable legacy authentication endpoints (e.g., basic auth, older WS-Trust). - Enforce strict conditional access policies that forbid fallback to lower-assurance methods for privileged accounts. - + ## Somewhere You Are Location-based authentication is based on the user's physical location. It is sometimes argued that location is used when deciding whether or not to require MFA (as discussed [above](#when-to-require-mfa)) however this is effectively the same as considering it to be a factor in its own right. Two prominent examples of this are the [Conditional Access Policies](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview) available in Microsoft Azure, and the [Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) functionality in BitLocker. From 119d975db2cf98d209dbb28536269fa862555794 Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Mon, 22 Jun 2026 16:11:27 +0100 Subject: [PATCH 06/15] Update Multifactor_Authentication_Cheat_Sheet.md --- cheatsheets/Multifactor_Authentication_Cheat_Sheet.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index 23ecbd958a..5815893c81 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -372,9 +372,11 @@ The are a number of common types of biometrics that are used, including: ## Modern MFA Attack Patterns and Mitigations ### MFA Fatigue Attacks (Push Notification Bombing) + Attackers spam MFA push notifications hoping the user approves one out of annoyance or accidental interaction. **Mitigations:** + - Enforce **Number Matching** / Challenge-Response to break the "Approve" loop ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). - Strictly rate-limit and lock out MFA prompts after repeated unapproved attempts ([OWASP ASVS v4.0](https://owasp.org/www-project-application-security-verification-standard/)). @@ -382,6 +384,7 @@ Attackers spam MFA push notifications hoping the user approves one out of annoya Attackers use reverse-proxy tools (e.g., Evilginx) to intercept credentials and standard MFA tokens (SMS, TOTP) in real-time. **Mitigations:** + - Mandate **Phishing-Resistant MFA** (FIDO2 / WebAuthn) which cryptographically binds the authentication to the origin URL ([CISA Phishing Guidance](https://www.cisa.gov/sites/default/files/2025-03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf)). - Implement risk-based authentication to block known VPN/proxy IP spaces and impossible travel ([CISA Multi-Factor Authentication Guidance](https://www.cisa.gov/mfa)). @@ -389,13 +392,15 @@ Attackers use reverse-proxy tools (e.g., Evilginx) to intercept credentials and Attackers socially engineer telecoms to transfer a victim's number, intercepting out-of-band SMS or voice MFA codes. **Mitigations:** + - **Deprecate Telephony MFA** for high-privilege accounts ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). - Default to TOTP authenticator apps or FIDO2 hardware keys. ### Token Theft & Session Hijacking -Attackers use infostealer malware or XSS to steal post-authentication session cookies/tokens, bypassing the MFA layer entirely. +Attackers use infostealer malware or XSS to steal post-authentication session cookies or tokens, bypassing MFA entirely. **Mitigations:** + - Implement **Continuous Access Evaluation (CAE)** with short-lived tokens ([Microsoft CAE Documentation](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation)). - Enforce strict cookie flags (`HttpOnly`, `Secure`, `SameSite=Strict`) and bind sessions to device hardware. @@ -403,6 +408,7 @@ Attackers use infostealer malware or XSS to steal post-authentication session co Attackers extract cryptographic keys or clone device fingerprints to spoof a "trusted device" and bypass MFA prompts. **Mitigations:** + - Store device identity keys strictly in non-exportable hardware modules (TPM or Secure Enclave). - Require OS-level platform attestation (e.g., Android Play Integrity, iOS DeviceCheck) before granting access. @@ -410,6 +416,7 @@ Attackers extract cryptographic keys or clone device fingerprints to spoof a "tr Attackers manipulate the authentication flow to fall back from strong MFA (e.g., WebAuthn) to weaker, legacy channels (e.g., SMS). **Mitigations:** + - Completely disable legacy authentication endpoints (e.g., basic auth, older WS-Trust). - Enforce strict conditional access policies that forbid fallback to lower-assurance methods for privileged accounts. From ea9356888c8885620e99cab710e0c68f196a25a2 Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Mon, 22 Jun 2026 16:22:33 +0100 Subject: [PATCH 07/15] Update Multifactor_Authentication_Cheat_Sheet.md --- .../Multifactor_Authentication_Cheat_Sheet.md | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index 5815893c81..e478c8c98a 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -376,50 +376,48 @@ The are a number of common types of biometrics that are used, including: Attackers spam MFA push notifications hoping the user approves one out of annoyance or accidental interaction. **Mitigations:** - - Enforce **Number Matching** / Challenge-Response to break the "Approve" loop ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). - Strictly rate-limit and lock out MFA prompts after repeated unapproved attempts ([OWASP ASVS v4.0](https://owasp.org/www-project-application-security-verification-standard/)). ### Real-Time Phishing (Adversary-in-the-Middle / AiTM) + Attackers use reverse-proxy tools (e.g., Evilginx) to intercept credentials and standard MFA tokens (SMS, TOTP) in real-time. **Mitigations:** - - Mandate **Phishing-Resistant MFA** (FIDO2 / WebAuthn) which cryptographically binds the authentication to the origin URL ([CISA Phishing Guidance](https://www.cisa.gov/sites/default/files/2025-03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf)). - Implement risk-based authentication to block known VPN/proxy IP spaces and impossible travel ([CISA Multi-Factor Authentication Guidance](https://www.cisa.gov/mfa)). ### SIM Swap & Phone Number Takeover + Attackers socially engineer telecoms to transfer a victim's number, intercepting out-of-band SMS or voice MFA codes. **Mitigations:** - -- **Deprecate Telephony MFA** for high-privilege accounts ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). +- **Deprecate Telephony MFA** for high-privilege accounts ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html). - Default to TOTP authenticator apps or FIDO2 hardware keys. ### Token Theft & Session Hijacking + Attackers use infostealer malware or XSS to steal post-authentication session cookies or tokens, bypassing MFA entirely. **Mitigations:** - -- Implement **Continuous Access Evaluation (CAE)** with short-lived tokens ([Microsoft CAE Documentation](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation)). +- Implement **Continuous Access Evaluation (CAE)** with short-lived tokens ([Microsoft CAE Documentation](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation). - Enforce strict cookie flags (`HttpOnly`, `Secure`, `SameSite=Strict`) and bind sessions to device hardware. ### Device Binding Bypass + Attackers extract cryptographic keys or clone device fingerprints to spoof a "trusted device" and bypass MFA prompts. **Mitigations:** - - Store device identity keys strictly in non-exportable hardware modules (TPM or Secure Enclave). - Require OS-level platform attestation (e.g., Android Play Integrity, iOS DeviceCheck) before granting access. ### MFA Downgrade Attacks (OAuth/SSO) + Attackers manipulate the authentication flow to fall back from strong MFA (e.g., WebAuthn) to weaker, legacy channels (e.g., SMS). **Mitigations:** - - Completely disable legacy authentication endpoints (e.g., basic auth, older WS-Trust). - Enforce strict conditional access policies that forbid fallback to lower-assurance methods for privileged accounts. - ## Somewhere You Are Location-based authentication is based on the user's physical location. It is sometimes argued that location is used when deciding whether or not to require MFA (as discussed [above](#when-to-require-mfa)) however this is effectively the same as considering it to be a factor in its own right. Two prominent examples of this are the [Conditional Access Policies](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview) available in Microsoft Azure, and the [Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) functionality in BitLocker. From 152f56676ab02a24dfde9da74717fe352b86ff08 Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Mon, 22 Jun 2026 16:33:05 +0100 Subject: [PATCH 08/15] Update Multifactor_Authentication_Cheat_Sheet.md --- cheatsheets/Multifactor_Authentication_Cheat_Sheet.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index e478c8c98a..346f98a6f0 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -376,6 +376,7 @@ The are a number of common types of biometrics that are used, including: Attackers spam MFA push notifications hoping the user approves one out of annoyance or accidental interaction. **Mitigations:** + - Enforce **Number Matching** / Challenge-Response to break the "Approve" loop ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). - Strictly rate-limit and lock out MFA prompts after repeated unapproved attempts ([OWASP ASVS v4.0](https://owasp.org/www-project-application-security-verification-standard/)). @@ -384,6 +385,7 @@ Attackers spam MFA push notifications hoping the user approves one out of annoya Attackers use reverse-proxy tools (e.g., Evilginx) to intercept credentials and standard MFA tokens (SMS, TOTP) in real-time. **Mitigations:** + - Mandate **Phishing-Resistant MFA** (FIDO2 / WebAuthn) which cryptographically binds the authentication to the origin URL ([CISA Phishing Guidance](https://www.cisa.gov/sites/default/files/2025-03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf)). - Implement risk-based authentication to block known VPN/proxy IP spaces and impossible travel ([CISA Multi-Factor Authentication Guidance](https://www.cisa.gov/mfa)). @@ -392,7 +394,8 @@ Attackers use reverse-proxy tools (e.g., Evilginx) to intercept credentials and Attackers socially engineer telecoms to transfer a victim's number, intercepting out-of-band SMS or voice MFA codes. **Mitigations:** -- **Deprecate Telephony MFA** for high-privilege accounts ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html). + +- **Deprecate Telephony MFA** for high-privilege accounts ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). - Default to TOTP authenticator apps or FIDO2 hardware keys. ### Token Theft & Session Hijacking @@ -400,7 +403,8 @@ Attackers socially engineer telecoms to transfer a victim's number, intercepting Attackers use infostealer malware or XSS to steal post-authentication session cookies or tokens, bypassing MFA entirely. **Mitigations:** -- Implement **Continuous Access Evaluation (CAE)** with short-lived tokens ([Microsoft CAE Documentation](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation). + +- Implement **Continuous Access Evaluation (CAE)** with short-lived tokens ([Microsoft CAE Documentation](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation)). - Enforce strict cookie flags (`HttpOnly`, `Secure`, `SameSite=Strict`) and bind sessions to device hardware. ### Device Binding Bypass @@ -408,6 +412,7 @@ Attackers use infostealer malware or XSS to steal post-authentication session co Attackers extract cryptographic keys or clone device fingerprints to spoof a "trusted device" and bypass MFA prompts. **Mitigations:** + - Store device identity keys strictly in non-exportable hardware modules (TPM or Secure Enclave). - Require OS-level platform attestation (e.g., Android Play Integrity, iOS DeviceCheck) before granting access. @@ -416,8 +421,10 @@ Attackers extract cryptographic keys or clone device fingerprints to spoof a "tr Attackers manipulate the authentication flow to fall back from strong MFA (e.g., WebAuthn) to weaker, legacy channels (e.g., SMS). **Mitigations:** + - Completely disable legacy authentication endpoints (e.g., basic auth, older WS-Trust). - Enforce strict conditional access policies that forbid fallback to lower-assurance methods for privileged accounts. + ## Somewhere You Are Location-based authentication is based on the user's physical location. It is sometimes argued that location is used when deciding whether or not to require MFA (as discussed [above](#when-to-require-mfa)) however this is effectively the same as considering it to be a factor in its own right. Two prominent examples of this are the [Conditional Access Policies](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview) available in Microsoft Azure, and the [Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) functionality in BitLocker. From 2a582006696a690628c2175677c35b17aaa1a8d6 Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Thu, 25 Jun 2026 21:18:26 +0100 Subject: [PATCH 09/15] Update Multifactor_Authentication_Cheat_Sheet.md --- cheatsheets/Multifactor_Authentication_Cheat_Sheet.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index 346f98a6f0..510ab56c81 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -377,7 +377,7 @@ Attackers spam MFA push notifications hoping the user approves one out of annoya **Mitigations:** -- Enforce **Number Matching** / Challenge-Response to break the "Approve" loop ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). +- Enforce **Number Matching** / Challenge-Response to break the "Approve" loop. CISA – Phishing Guidance: Stopping the Attack Cycle at Phase One.( https://www.cisa.gov). - Strictly rate-limit and lock out MFA prompts after repeated unapproved attempts ([OWASP ASVS v4.0](https://owasp.org/www-project-application-security-verification-standard/)). ### Real-Time Phishing (Adversary-in-the-Middle / AiTM) @@ -387,7 +387,7 @@ Attackers use reverse-proxy tools (e.g., Evilginx) to intercept credentials and **Mitigations:** - Mandate **Phishing-Resistant MFA** (FIDO2 / WebAuthn) which cryptographically binds the authentication to the origin URL ([CISA Phishing Guidance](https://www.cisa.gov/sites/default/files/2025-03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf)). -- Implement risk-based authentication to block known VPN/proxy IP spaces and impossible travel ([CISA Multi-Factor Authentication Guidance](https://www.cisa.gov/mfa)). +- Implement risk-based authentication to block known VPN/proxy IP spaces and impossible travel ([CISA. Zero Trust Maturity Model, Identity Pillar](https://www.cisa.gov/zero-trust-maturity-model). ### SIM Swap & Phone Number Takeover From 52a3c41cfedf905f821571a46d9d5bfeb66a51eb Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Thu, 25 Jun 2026 21:29:42 +0100 Subject: [PATCH 10/15] Update Multifactor_Authentication_Cheat_Sheet.md Added updated references --- cheatsheets/Multifactor_Authentication_Cheat_Sheet.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index 510ab56c81..49504a2266 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -377,7 +377,8 @@ Attackers spam MFA push notifications hoping the user approves one out of annoya **Mitigations:** -- Enforce **Number Matching** / Challenge-Response to break the "Approve" loop. CISA – Phishing Guidance: Stopping the Attack Cycle at Phase One.( https://www.cisa.gov). +- Enforce **Number Matching** / Challenge-Response to break the "Approve" loop. +- CISA – Phishing Guidance: Stopping the Attack Cycle at Phase One.[CISA]( https://www.cisa.gov). - Strictly rate-limit and lock out MFA prompts after repeated unapproved attempts ([OWASP ASVS v4.0](https://owasp.org/www-project-application-security-verification-standard/)). ### Real-Time Phishing (Adversary-in-the-Middle / AiTM) From 1790b497e7e7e58291e48df1bf29db4a33791f2e Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Thu, 25 Jun 2026 21:33:37 +0100 Subject: [PATCH 11/15] Update Multifactor_Authentication_Cheat_Sheet.md --- cheatsheets/Multifactor_Authentication_Cheat_Sheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index 49504a2266..d0bb391e62 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -378,7 +378,7 @@ Attackers spam MFA push notifications hoping the user approves one out of annoya **Mitigations:** - Enforce **Number Matching** / Challenge-Response to break the "Approve" loop. -- CISA – Phishing Guidance: Stopping the Attack Cycle at Phase One.[CISA]( https://www.cisa.gov). +- CISA – Phishing Guidance: Stopping the Attack Cycle at Phase One.[CISA]( https://www.cisa.gov). - Strictly rate-limit and lock out MFA prompts after repeated unapproved attempts ([OWASP ASVS v4.0](https://owasp.org/www-project-application-security-verification-standard/)). ### Real-Time Phishing (Adversary-in-the-Middle / AiTM) From cf086df77eac90dfe0ab0e3868e2f2907676af73 Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Fri, 26 Jun 2026 11:47:22 +0100 Subject: [PATCH 12/15] Update Multifactor_Authentication_Cheat_Sheet.md Updated references under the section "MFA Fatigue Attacks" --- cheatsheets/Multifactor_Authentication_Cheat_Sheet.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index d0bb391e62..f8bb385817 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -377,9 +377,10 @@ Attackers spam MFA push notifications hoping the user approves one out of annoya **Mitigations:** -- Enforce **Number Matching** / Challenge-Response to break the "Approve" loop. -- CISA – Phishing Guidance: Stopping the Attack Cycle at Phase One.[CISA]( https://www.cisa.gov). -- Strictly rate-limit and lock out MFA prompts after repeated unapproved attempts ([OWASP ASVS v4.0](https://owasp.org/www-project-application-security-verification-standard/)). +- Enforce Number Matching (challenge–response) to prevent users from blindly approving MFA prompts during fatigue attacks. + Reference: Microsoft Authenticator – Number Matching Documentation. +- Follow CISA’s guidance on deploying phishing‑resistant MFA to eliminate push‑based MFA fatigue attacks. + Reference: CISA – Phishing‑Resistant MFA Guidance. ### Real-Time Phishing (Adversary-in-the-Middle / AiTM) From 6159b97fe38f6ddf1bab10021ef800469e9ec713 Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Fri, 26 Jun 2026 12:33:19 +0100 Subject: [PATCH 13/15] Update Multifactor_Authentication_Cheat_Sheet.md Added detailed explanations and updated references for some sections in Modern MFA attack patterns --- .../Multifactor_Authentication_Cheat_Sheet.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index f8bb385817..2f9fc1dac2 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -384,12 +384,13 @@ Attackers spam MFA push notifications hoping the user approves one out of annoya ### Real-Time Phishing (Adversary-in-the-Middle / AiTM) -Attackers use reverse-proxy tools (e.g., Evilginx) to intercept credentials and standard MFA tokens (SMS, TOTP) in real-time. +Attackers deploy reverse‑proxy phishing kits (e.g., Evilginx, Modlishka, Muraena) that sit between the user and the legitimate website. These tools capture credentials and the resulting session cookies, allowing the attacker to impersonate the user in real time. **Mitigations:** -- Mandate **Phishing-Resistant MFA** (FIDO2 / WebAuthn) which cryptographically binds the authentication to the origin URL ([CISA Phishing Guidance](https://www.cisa.gov/sites/default/files/2025-03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf)). -- Implement risk-based authentication to block known VPN/proxy IP spaces and impossible travel ([CISA. Zero Trust Maturity Model, Identity Pillar](https://www.cisa.gov/zero-trust-maturity-model). +- Mandate Phishing‑Resistant MFA (FIDO2/WebAuthn), which cryptographically binds authentication to the legitimate origin and prevents AiTM replay.([CISA Phishing Guidance](https://www.cisa.gov/sites/default/files/2025- 03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf)). +- Use risk‑based authentication to detect suspicious post‑compromise activity (e.g., proxy IPs, anomalous locations), though this does not prevent AiTM itself. + Reference: CISA Zero Trust Maturity Model – Identity Pillar (risk‑based access decisions). ### SIM Swap & Phone Number Takeover @@ -408,6 +409,8 @@ Attackers use infostealer malware or XSS to steal post-authentication session co - Implement **Continuous Access Evaluation (CAE)** with short-lived tokens ([Microsoft CAE Documentation](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation)). - Enforce strict cookie flags (`HttpOnly`, `Secure`, `SameSite=Strict`) and bind sessions to device hardware. +- Impossible travel detection can identify stolen session tokens being replayed from a different geography, but it does not prevent token theft itself. + Reference: Microsoft Entra ID Identity Protection – Impossible Travel Detection. ### Device Binding Bypass @@ -415,9 +418,13 @@ Attackers extract cryptographic keys or clone device fingerprints to spoof a "tr **Mitigations:** -- Store device identity keys strictly in non-exportable hardware modules (TPM or Secure Enclave). -- Require OS-level platform attestation (e.g., Android Play Integrity, iOS DeviceCheck) before granting access. - +- Use hardware‑backed, non‑exportable device keys (TPM, Secure Enclave) to ensure device binding cannot be cloned or replayed. + Reference: NIST SP 800‑63B – Digital Identity Guidelines (Authenticator Assurance Levels). +- Prefer phishing‑resistant MFA (FIDO2/WebAuthn), which provides origin‑bound, device‑bound authentication resistant to device binding bypass. + Reference: FIDO Alliance – FIDO2/WebAuthn Security Specifications. +- Validate device attestation metadata to ensure the authenticator is genuine and hardware‑protected. + Reference: W3C WebAuthn Level 2 – Attestation Statement Formats. + ### MFA Downgrade Attacks (OAuth/SSO) Attackers manipulate the authentication flow to fall back from strong MFA (e.g., WebAuthn) to weaker, legacy channels (e.g., SMS). From 826f7e4d3011dfd20018bb46f2ccd64801806642 Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Fri, 26 Jun 2026 12:47:08 +0100 Subject: [PATCH 14/15] Update Multifactor_Authentication_Cheat_Sheet.md Corrected markdown lint error. --- cheatsheets/Multifactor_Authentication_Cheat_Sheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index 2f9fc1dac2..ad2bdd7d57 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -388,7 +388,7 @@ Attackers deploy reverse‑proxy phishing kits (e.g., Evilginx, Modlishka, Murae **Mitigations:** -- Mandate Phishing‑Resistant MFA (FIDO2/WebAuthn), which cryptographically binds authentication to the legitimate origin and prevents AiTM replay.([CISA Phishing Guidance](https://www.cisa.gov/sites/default/files/2025- 03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf)). +- Mandate Phishing‑Resistant MFA (FIDO2/WebAuthn), which cryptographically binds authentication to the legitimate origin and prevents AiTM replay. [CISA Phishing Guidance](https://www.cisa.gov/sites/default/files/2025-03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf). - Use risk‑based authentication to detect suspicious post‑compromise activity (e.g., proxy IPs, anomalous locations), though this does not prevent AiTM itself. Reference: CISA Zero Trust Maturity Model – Identity Pillar (risk‑based access decisions). From 20f8c0ac2e699dc988806eb10d309b644db1b0bf Mon Sep 17 00:00:00 2001 From: Sujala Vasanthasena Nelavai Date: Fri, 26 Jun 2026 13:27:36 +0100 Subject: [PATCH 15/15] Update Multifactor_Authentication_Cheat_Sheet.md --- cheatsheets/Multifactor_Authentication_Cheat_Sheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md index ad2bdd7d57..e5d778bcf8 100644 --- a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md +++ b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md @@ -378,7 +378,7 @@ Attackers spam MFA push notifications hoping the user approves one out of annoya **Mitigations:** - Enforce Number Matching (challenge–response) to prevent users from blindly approving MFA prompts during fatigue attacks. - Reference: Microsoft Authenticator – Number Matching Documentation. + Reference: Microsoft Authenticator – Number Matching Documentation(example implementation of challenge–response MFA). - Follow CISA’s guidance on deploying phishing‑resistant MFA to eliminate push‑based MFA fatigue attacks. Reference: CISA – Phishing‑Resistant MFA Guidance.