#CyberMonth: Why MFA Is Not the Panacea the Industry Is Touting it to Be

Written by

Multi-factor Authentication (MFA) describes digital authentication solutions that require the user to share two or more “secrets” that only the user and the authentication system should know to prove that the user is who they say they are. MFA is an improvement over simple login names and passwords, which have become so compromised that they have led to hundreds of millions, if not billions, of successful online attacks. You should use MFA where you can to protect valuable data and systems.

Unfortunately, most MFAs will not protect you much better than a password, and the industry isn’t talking enough about the MFA you should use.

Decades ago, the computer industry started developing the first forms of MFA, including digital code generators (formerly known as one-time password generators), biometrics and hardware devices that you plugged into the side of your computer.

Most people who use MFA think they are significantly harder to hack than someone who uses just a logon name and password. For the most part, this is not true. As a result, companies and users are spending time, money, and resources to move their end-users to MFA without substantially reducing risk.

Yet, organizations and their users would substantially benefit by picking the right types of MFA. But knowing what MFA is ‘good’ and what is ‘not so good’ isn’t a well known or publicized fact.

All MFA Can Be Hacked

Any MFA solution can be hacked. However, some MFA solutions are far more resilient and resistant to hacking attacks than others. Let’s start with what MFA is more easily hackable and bypassable.

Any MFA solution that produces a digital code, a one-time password (usually 4 to 6 digits long) that a user will view and then re-type into a login screen, is considered among the most easily hackable forms of MFA. This is because a hacker can trick a user into revealing their one-time password to the hacker or a fake website, which the attacker then steals and re-uses on the victim’s real site. It used to be that social engineering hackers mostly stole user’s passwords. Today, they just as easily steal one-time passwords.

An example of this sort of attack is a potential victim being sent an email that fraudulently claims to be from their employer (who uses a one-time password MFA). The email mentions a critical event that the employee must respond to. It may be a payroll issue, HR violation or medical reimbursement.

If the employee clicks on the URL embedded in the email, they are taken to a fraudulent, look-alike site that asks the user for the login information. If they don’t realize they are on a rogue site, the hacker receives the information the user types in, including the user’s login name and the one-time password. Today, the most popular malware programs perform this type of MFA hacking.

Push-Based MFA

Some MFA sends users a separate, ‘push-based’ notification message to a secondary location (e.g., cell phone or application) to ‘Approve’ or ‘Deny’ whenever anyone tries to log on as the user to a system protected by push-based MFA.

The idea is that the user should only approve logins that they initiated and expected. If they receive a push-based notification that they were not expecting, they should deny it and report the hacking attempt. In theory, it’s a great authentication solution. Unfortunately, many users will approve login prompts they didn’t approve. Currently, hackers love systems protected by push-based authentication.


The most popular type of MFA on the Internet is when a system sends the user a one-time password code to a user logging on to their cell phone. This ties the authentication to the user’s phone number. Unfortunately, it’s too easy for a hacker to get a potential victim’s cell phone number moved to their “burner phone.” The hacker steals the victim’s phone number and then attempts to log on to all the user accounts that send SMS codes.

These three examples are among the most popular forms of hacking MFA, but many others exist. The US government has been cautioning against these types of MFA due to numerous instances of hacking that have occurred repeatedly.

To be clear, you should not be using easily phishable MFA, such as MFA using one-time passwords, push-based MFA, and SMS-based MFA. They are not only easy to hack and bypass, but frequently are.

What is the Solution?

First, if you are picking an MFA solution, pick a phishing-resistant MFA solution. Here is a list if every type of phishing-resistant MFA: https://www.linkedin.com/pulse/my-list-good-strong-mfa-roger-grimes.

Second, no matter what type of MFA you use (and many of us use multiple forms), educate yourself about the common types of attacks against that particular form of MFA and how to recognize the signs of them. If you have an organization that uses MFA, do the same for your end users.

What’s hot on Infosecurity Magazine?