June 4, 2025
July 1, 2025
 —  
Blog

Defeating Scattered Spiders’ 2FA Bypass Attacks: Passwordless MFA

Defeating Scattered Spiders’ 2FA Bypass Attacks: Passwordless MFA

The latest cybersecurity alert from the FBI is ringing loud and clear, and if you're in critical infrastructure, you need to be listening. A recent Forbes article by Davey Winder highlighted the FBI's urgent warning about the surge in 2FA bypass attacks, specifically calling out the notorious Scattered Spider threat group. This isn't just about data breaches; it's about sophisticated social engineering aimed at infiltrating our most vital sectors.

The article details how Scattered Spider is expanding its targeting, moving from retail to the airline industry, and now even into the food, manufacturing, and transportation sectors. What's particularly alarming is their consistent method: bypassing multi-factor authentication (MFA) by tricking IT help desks into adding unauthorized MFA devices to compromised accounts. They don't rely on complex technical exploits; they manipulate people, often impersonating employees or contractors to gain access.

This is where the traditional MFA model shows its Achilles' heel. If an attacker can convince a help desk to add their device as a legitimate MFA factor, your robust MFA solution suddenly becomes a gateway for malicious actors. It's a classic social engineering flaw that exploits the human element in an otherwise strong security chain.

This brings us to a fundamental question: if the very mechanism designed to be your second line of defense can be socially engineered, what's next? For critical infrastructure, where the stakes are incredibly high – from operational disruption to national security implications – this vulnerability is simply unacceptable. You can't afford to be the next headline, with a $600 million cost like Marks & Spencer faced.

BlastWave's Passwordless MFA: Eliminating an Entire Class of Risk

BlastWave is about fundamentally changing the attack surface of your critical infrastructure network. Our approach to passwordless MFA directly addresses and eliminates the very attack vector that Scattered Spider and similar groups are exploiting.

Here's how:

  1. No Shared Secrets to Exploit: Traditional MFA often relies on a shared secret (like a password) or a predictable second factor that can be intercepted or socially engineered. BlastWave's passwordless MFA, built on cryptographic principles, removes the need for these shared secrets. There's no password for an attacker to phish, no knowledge to steal, and no shared secret for them to bypass.
  2. Eliminating the "Help Desk Weak Point": Since our system doesn't rely on adding "devices to compromised accounts" in the traditional sense, the social engineering attack described by the FBI becomes irrelevant. Our MFA is tied to the intrinsic identity of the user and the secure, verified device they are using, not an easily manipulated "additional factor." An attacker impersonating an employee simply can't add an "unauthorized MFA device" to an account in a way that grants them access.
  3. Zero Trust, From the Ground Up: For critical infrastructure, a Zero Trust architecture is paramount. BlastWave's passwordless MFA is a cornerstone of this. Every connection and every access attempt is continuously verified, without relying on vulnerable factors that can be socially engineered. It's about verifying who you are, what device you're on, and where you are coming from, making it nearly impossible for an unauthorized entity to simply "add a device" and gain access.
  4. Beyond the Human Element Vulnerability: By removing the human element from the core authentication process, specifically, the part that can be tricked into granting access, we significantly harden your defenses. While social engineering will always be a threat, our solution removes its leverage in gaining initial access through MFA bypass.

The FBI's warning is a wake-up call. For critical infrastructure, the time to act is now. Don't wait to become the next target of groups like Scattered Spider. If you're relying on legacy MFA that's vulnerable to these social engineering tactics, it's time to reevaluate. BlastWave's passwordless MFA offers a robust, future-proof solution that eliminates the very attack vectors that are plaguing organizations today, ensuring your critical systems remain truly secure and inaccessible to unauthorized eyes.

OT Secure Remote Access
Network Cloaking
Network Segmentation

Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.

Schedule a Demo