Does Two-Factor Authentication Prevent Hacking?

Does Two-factor and Multi-factor Authentication Still Work?

The short answer is yes. Multi-factor authentication (MFA) can immediately fortify your accounts without requiring a litany of steps on your end.

Its success has made it one of the most widespread authentication methods around. Nine out of ten IT administrators use it because they know multi-factor authentication works [*].

However, MFA doesn’t guarantee protection against every type of threat. Hackers find ways to bypass MFA with disturbing tenacity; and worse still, not all MFA methods are equally secure.

{{show-toc}}

Why you should secure your accounts with MFA

Setting up MFA on your online accounts is always better than relying entirely on passwords. With password-only authentication, anyone who learns your login credentials can access your account. Every additional authentication factor is another stumbling block between hackers and your identity.

But there are many different MFA options, and not all of them offer the same degree of protection. Some MFA methods you may be familiar with include:

• Push notifications
• Universal second factor (U2F) keys
• Time-based one-time passwords (TOTP)
• In-device biometrics

Some two-factor authentication methods are more susceptible to cyberattacks than others. For example, Uber reported a data breach that involved MFA push notification spamming in September 2022 [*]. All it took was a single user accidentally accepting an MFA request from an unrecognized login.

How Do Hackers Get Past MFA?

Some forms of MFA are easier to bypass than others. As of 2023, only 4% of the workforce uses phishing-resistant MFA methods [*]. These methods employ public-key infrastructure (PKI) to generate security keys with an extra layer of protection.

FIDO2 is a good example of phishing-resistant MFA. It hefts cryptographic key pairs to the authentication process. Once that key is associated with secure biometric data — like your fingerprint — it becomes much more secure than a simple push notification or text message.

Some MFA methods have known vulnerabilities and may be affectations in the event of an actual breach. Here are some examples of how hackers have overcome MFA security in high-profile data breaches:

1. Using malware to hack one-time-password (OTP) seeds

Mobile authenticator apps generate a one-time password seed that matches an MFA response. Hackers can circumvent MFA by attacking your mobile device and compromising these seeds created by your authenticator app [*].

When this happens, it’s usually because the user has a rooted or jailbroken phone that allows apps to escalate their own privileges. Jailbroken smartphones don’t heed any additional security measures. 

Malicious apps on such devices can easily excise authentication codes and sensitive data. Older Android mobile phones and models that don't receive updates are especially susceptible to this type of attack.

2. SIM swapping attacks that target OTPs

If hackers impersonate you to buy a new SIM card, they can install that SIM card onto a new device and lock you out of your own. If they can also access one of your accounts with MFA enabled, they can intercept your OTP and log in.

This is exactly what happened when Lapsus$ began targeting high-profile tech companies like Nvidia, Microsoft, and Samsung in 2022 [*]. Attackers hijacked their targets’ accounts by performing fraudulent SIM swaps and using compromised devices to beat MFA security.

3. MFA fatigue

MFA fatigue happens when attackers spritz users with MFA push notifications. This kind of a “push bombing” attack works by wearing down the target’s resistance over time.

In some cases, attackers also use SMS messages, phone calls, and emails. Eventually, the target is exhausted and accepts a login request. Even if this happens by accident, it gives hackers enough time to gain unauthorized access.

4. Phishing kits that spoof website login pages

Phishing kits allow hackers to run automated phishing attacks on well-known companies and websites. This is what a group of hackers did when they targeted Twilio and other organizations in 2022 [*]. 

The attack used SMS phishing to send victims to a spoofed Okta login page. The page asked users for their login credentials and MFA codes.

Instead of logging them in, the spoofed page sent the data directly to threat actors. They immediately logged in and began stealing customer data.

5. Enrolling new devices, and disabling MFA entirely

Starting in May 2021, the FBI caught Russian government-affiliated cybercriminals bypassing MFA by enrolling new devices on compromised accounts [*].

First, they used brute force methods to muscle into user accounts. They then added a new authentication device to the accounts and logged in by using regular MFA.

From there, they exploited a “PrintNightmare” vulnerability for administrator privileges. As a result, the MFA service could no longer reach its servers to validate a login.

6. Adversary-in-the-middle (AiTM) attacks

AiTM attacks — also called man-in-the-middle attacks — work by manipulating the way websites and applications keep track of your identity.

Modern web services use cookies to keep track of users; by doing so, they don’t have to authenticate you on every page. In an AiTM attack, hackers steal your session cookies after you’ve logged in and pretend to be you.

This requires setting up a spoofed website that looks exactly like the site you wish to visit. That spoofed website then acts as a proxy between you and the original website, allowing attackers to access all of the data you share.

7. Infostealer malware

Infostealers are a type of malware that scans for login credentials, authentication tokens, and other valuable pieces of data. They often look for credentials stored in browsers and other apps. Some sophisticated infostealers can zero in on the cryptographic components that support MFA.

This is what happened during the 2020 SolarWinds attack [*]. Hackers had already compromised a smaller part of the organization’s systems and used an infostealer to burrow into its network.

8. Exploiting MFA misconfigurations

MFA is just one cog within most cybersecurity systems. This system must also include procedures for people who enroll new devices or lose their authentication credentials.

These same procedures can leave the door open for attackers. For example, some websites allow users to register new phone numbers when they lose access to an old one.

If hackers know your password, they may be able to bypass your MFA protection entirely by registering a new phone number and choosing SMS authentication. This is how a security researcher bypassed MFA on his ISC2.org account — by accident [*].

9. Signal System 7 (SS7) attacks

In February 2024, at least 100 Payoneer users located in Argentina woke up to find their accounts pilfered by hackers [*].

Many of the victims had SMS-based MFA enabled on their accounts and shared the same mobile service provider. The evidence suggests that hackers exploited a telephone signaling protocol called Signal System 7 to eavesdrop on text and voice communications.

SS7 is a telecom protocol that was developed in 1975 and is still in use today. It has remained largely unchanged since then, making it a sitting target for hackers. Similar attacks were also used to spy on the White House as far back as 2018 [*].

10. Social engineering

Hackers can also use social engineering tactics to carry out tech support scams that bypass MFA. In August 2023, Russian government-linked attackers set up domains and accounts to impersonate Microsoft tech support [*].

The hackers approached Teams users in chats to have the users approve MFA prompts. If the user entered the passcode into the Microsoft Authenticator app, the hacker received a token to log in as the user.

Types of MFA and How They Work

Beyond a PIN number or password (something you know), MFA also asks for:

• Something you have — such as an authentication code from an app like Authy.
• And something you are — a fingerprint or face scan.

Below are some of the different types of MFA methods and how they work [*].

Where MFA Alone Can’t Help, Aura Can.

The best MFA option is PKI-based FIDO MFA, but it tends to be expensive and hard to manage. App-based MFA offers decent security without the vulnerabilities seen with SMS MFA.

MFA is not a silver bullet, but it’s far more effective than a password-only authentication method. On top of MFA, also consider using:

• Password managers. You still need to have strong passwords for every account you use. Aura’s password manager lets you create and save unique passwords for each account as you browse and auto-sync across devices.
• VPNs. Virtual private networks encrypt your traffic online so that websites, advertisers, and hackers can’t track your activity.
• Antivirus and antimalware tools. Aura’s antivirus software scans every new file on your device for hidden malware.
• Data broker removal. Aura scans known data broker and people search sites, lodging automatic requests to remove your data on your behalf.

Aura’s privacy-first plans focus on device security with identity and financial fraud protections. When billed annually, these plans start as low as $3 per user per month.

Data broker removal, password manager, VPN, and more. See all Aura Privacy plans.