chevron-down Created with Sketch Beta.

GPSolo eReport

GPSolo eReport Article Archives

Multi-Factor Bypass Attacks: How to Protect Your Law Firm’s Data

Girish Chiruvolu, Jessica Smith, Ganapati Kuppayya Hegde, and Michael L Diaz


  • Traditionally, law firms have protected their confidential data by using multi-factor authentication (MFA) or two-factor authentication (2FA).
  • Hackers can now thwart multi-factor authentication. What should you do to protect your law firm?
  • The authors propose a new concept: bearer-aware authentication codes that are anti-theft, anti-replay, anti-phish, and anti-bypass.
Multi-Factor Bypass Attacks: How to Protect Your Law Firm’s Data
WangAnQi via Getty Images

Jump to:

It is well known that law firms are particularly enticing targets for hackers, given the nature and amount of sensitive material they tend to hold, such as information on business dealings, confidential processes shared with law firms for evaluation, and upcoming transactions that could affect share prices.

Clients and third parties often share all sorts of confidential information online with law firms on a daily basis. The American Bar Association notes that 62 percent of the respondents to a survey in 2021 used cloud applications such as Dropbox and Google Drive for their law practice, including to exchange confidential information with their clients. Meanwhile, QuickBooks Online and its variants have been the main billing-invoice-payments workhorse cloud applications.

But is this confidential online data secure from the threat of unauthorized access? The risks are great, especially for solo and small firms, which lack the resources of larger firms to withstand the costs of a breach. Just look at two numbers:

  • 29 percent. Yes, 29 percent of the law firms in the United States have been breached. When you sit down for coffee with two other attorney friends, know that at least one of you is likely at some point to be hacked!
  • $108,000. On average it costs a small or medium-sized business $108,000 to recover and clean up after a breach. Malpractice lawsuits, insurance premiums, lost revenue and clients, damage to brand reputation, penalties, and monetary fraud costs can add up quickly.

The Importance of a Secure Login System

Consider the following real-life incident:

Shannon was a solo family lawyer in Connecticut, beloved by clients for an approach so tenacious they called her “El Toro”; and like a real bull, she charged aggressively forward while forgetting to guard her flank. Believing her practice too small to be targeted, she hardly bothered with online security practices . . . until her case management system was breached and she was forced to notify the authorities, her clients, and all related parties that their data had been compromised. . . . El Toro has now slowly and painfully rebuilt trust and business.

This case should remind every law firm about the importance of securing its login credentials from the hands of hackers.

Notably, recent attacks have become more sophisticated. Multi-factor authentication (MFA) and two-factor authentication (2FA), which secure logins to access confidential data and monetary transactions, have become mainstream targets of attack.

Microsoft has reported that between September 2011 and July 2022, more than 10,000 organizations have been targeted by a large-scale cyber-attack that bypasses MFA.  In light of such numbers, law firms need to take extra steps with their current MFA schemes that have become obsolete in the wave of these new attacks.

Underlying Root Cause and the Potency of MFA-Bypass Attacks

In an MFA-bypass attack, a remote hacker or some proxy server (also known as the man-in-middle) intercepts the communication channel between a legitimate user and the authentication system and waits until the user successfully completes the authentication process. The authentication typically includes a password and the “other” multi-factors, such as a one-time passcode sent via SMS (text message) and/or an out-of-band approval sent via a mobile authenticator app. Upon completion of the authentication process, the cybercriminal grabs the authenticated session cookies and “replays” them to gain access. In this way, the attacker does not need to chase your passwords and other MFA in-use. (Click here for a graphic showing an MFA-bypass attack in action.)

While the security community has been screaming “use MFA!,” the hacker community has caught up with this technology, and now we need a way to secure critical online applications with something better than “legacy” MFA protocols.

How to Address MFA-Bypass and Login Credential Hacks

We propose a new concept: bearer-aware authentication codes that are anti-theft, anti-replay, anti-phish, and anti-bypass.

The concept of bearer-aware authentication codes has actually been with us since the introduction of traveler’s checks in the good old days. Carrying cash while traveling risked having the cash stolen. To protect against such theft, financial institutions introduced traveler’s checks; if traveler’s checks were stolen, they would be worthless to thieves due to the additional step of security verification.

In the same way, bearer-aware authentication codes are cross-checked against replay impersonation in order to authenticate a user. These authentication codes are useless for hackers. A real-time proxy looks for authentication cookies, but they would be absent as the authentication system detects impersonation and fails an authentication attempt in which hackers are involved.

Bearer-aware credentials are typically generated from both intrinsic and extrinsic attributes that are observable on the login devices and environment. The bearer-aware credentials are often realized as one-time codes, but special algorithms run behind the scenes, taking into account such attributes. This, in essence, ties the ownership back to the trusted devices on which the user is logging in. A remote hacker or proxy server has different intrinsic and extrinsic attributes inherent to their system, and these can be observed by a bearer-aware authentication system; the cybercriminal cannot mimic nor impersonate the bearer-aware credentials through interception. Law firms using bearer-aware authentication codes are now free to focus on the practice of law rather than worrying about their credentials falling in to wrong hands and the impact of a breach.

For law firms and their clients, the login experience does not change substantially. They will need to do a one-time setup, register their accounts, and (possibly) scan a special QR code in order to generate bearer-aware one-time codes (BOTPs) specific/corresponding to their login devices on their mobile app. The mobile app can auto-generate BOTPs for use when logging in from the same mobile device. When prompted by the authentication system, users simply enter their user ID and BOTPs instead of (optional) passwords or any other multi-factors that are traditionally bearer-agnostic. Upon receiving the credentials, the authentication system cross-checks the validity of codes against the submitter attributes that were used when generating the BOTPs. This is very similar to doing an additional verification when cashing out traveler’s checks compared to cash (bearer-agnostic) transactions.

The benefits of bearer-aware authentication to your law firm include:

  • No uprooting of the existing authentication. The workflow is the same, but you get security against MFA-bypass attacks.
  • No need for passwords. You can phase them out once you are comfortable with bearer-aware authentication codes.
  • No worry of credential leaks. Stolen bearer-aware authentication codes are useless for hackers.
  • No linkage between your user accounts and your website URLs. Imagine you are merging with another firm or you want to change your practice area and rebrand with a new URL; you can avoid thousands of users re-registering as with other authentication schemes.
  • No worries about an overly complex proprietary system. A bearer-aware authentication system is super easy, intuitive, scalable, and portable—unlike lock-ins such as Apple Passkeys.


All law firms with an online presence need to pay attention to three critical security controls: (1) secure login credentials, (2) awareness/training on phishing and email security, and (3) anti-virus/malware with data backups. Bearer-aware authentication can help not only with the first of these but also with the other two. BOTPs cannot be compromised by phishing, as the ownership is verified. And with less worry about login hacks and phishing expeditions, law firms can now focus on the remaining pillar of security control: anti-malware with data backups. Bearer-aware authentication can play a critical role in improving a law firm’s overall security posture, reducing the risk of getting hacked and incurring cleanup and penalty costs—and even the loss of clients.