This chapter covers a type of attack that's possible against nearly all forms of authentication, including MFA. It's difficult to stop and not all that hard to pull off for the attacker. In a nutshell, malicious hackers can provide an experience to an end user that appears as if the user's authentication was successful and legitimate when it was not. The attacker can then trick the victim into revealing more confidential details or into performing actions that they otherwise would not.

Learning About Fake Authentication Through UAC

I often hear from MFA vendors and users who ask me if their favorite MFA solution can be hacked. My immediate response is always, “Yes!” Anything can be hacked. But more specifically, I know that “fake authentication” hacks can be accomplished against nearly any MFA solution. I learned this lesson firsthand over 15 years ago when my employer was trying to figure out a way to mitigate it.

I worked for Microsoft Corporation for almost 12 years as a principal security consultant, and another three years before as a consultant working on Microsoft Windows Server 2003 and Microsoft SharePoint security courses for internal staff and customers. I loved my time working for Microsoft. It taught me a great deal, including that there are many very smart people who know a lot about computer security. Many times, I would come up with what I thought was an excellent security defense only to find that my idea was already thought ...