Multi-factor authentication (MFA) is now a standard practice to prevent attacker access. A new CISA case report from the FBI illustrates how business policies and system usability may conflict with that goal.

Russian state-sponsored cyber actors gained initial access [TA0001] to the victim organization via compromised credentials [T1078] and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials [TA0006] via brute-force password guessing attack [T1110.001], allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.

Brute-force of a password should not have been possible in a properly configured MFA system.

Being un-enrolled due to inactivity should not have happened, as the account should have gone directly to a disabled state instead.

In other words if you disable MFA and use guessable passwords, security has basically been disabled.