Multi-Factor Authentication: How It Works, Why It’s Important and How It Can Be Hacked

Verifying users’ identity through multi-factor authentication (MFA) is an effective way to enhance login security and prevent fraudulent sign-ins. Our MFA guide covers the different factors used in multi-step logins, common pitfalls during MFA implementation and some of the methods hackers use to bypass multi-factor authentication.

What Is Multi-Factor Authentication?

Multi-factor authentication or MFA refers to login procedures that require users to verify their identity through additional steps beyond just their username and password. Additional safeguards such as a one-time password generated through a smartphone app make it harder for attackers to take control of accounts. In theory, they would need access to both a user’s basic credentials as well as their mobile phone or email address. In practice, there are a few methods cybercriminals can use to either break or bypass MFA.

There are different methods of identity verification (i.e. factors) that can be used to implement multi-factor authentication. The most common methods for MFA/2FA are:

  • Something you know: passwords, birth dates, social security numbers, security questions

  • Something you have: key cards, hardware tokens, smartphones with authenticator apps

  • Something you are: facial recognition, voice recognition, fingerprints, biometric data

For the best results, MFA should be based around two or more factors from different categories. Requiring two different passwords, for example, does very little to improve security, since hackers could steal both of them through similar methods. The goal of multi-factor authentication is to make it as difficult as possible for attackers to hijack an account, without creating too many barriers for legitimate users.

Time & Location as MFA Factors

Aside from the three main categories of knowledge, ownership and inherent characteristics, some source also name time and location as factors for multi-factor authentication. However, experts considere these attribtues not strong enough to clearly verify the identity of a user. At least not as the only other attribute in a two-step system.

Time and location can, however, serve as a third or fourth check for additional security or provide a basis for context-based risk analysis. The circumstances surrounding a login attempt help security systems enforce login policies (no sign-ins outside of office hours) or identify suspicious activity (logins from other countries or continents).

What Makes Multi-Factor Authentication So Important?

The importance of two-tier verification can be summarized through a single number: According to Microsoft, accounts without MFA account for 99.9% of all hacked accounts in services like Azure AD and Microsoft 365. In other words, the risk of hackers stealing your account is far greater if you use basic authentication compared to a two-step system.

The Problem with Passwords

The reason behind this mismatched statistic is fairly simple: Despite the fact that nearly every website, application and digital service in the world uses passwords, they offer far less safety than users realize. To cope with having to remember dozens of logins, most people use very weak passwords: short, simple phrases consisting of common words. Brute-force methods such as rapid password guessing can crack these in mere minutes.

But even complex passwords can be easily circumvented using leaked credentials from previous hacks, keyloggers that track your typing or phishing campaigns that convince users to provide their login info voluntariy. In most attack scenarios, password strength does not matter. At least, it makes far less of a difference than adding another security check does.

Employee entering credentials into a login prompt.
When it comes to passwords, most users follow the path of least resistance. Adobe Stock, (c) khunkorn

The Passwordless Future?

Programmers and security experts are well aware that, put simply, passwords suck. They’re awkward to use, a hassle to remember and not particularly secure. Considering all these downsides, the end of passwords has been predicted many times over: In the glorious, passwordless future, users will prove their identity using credential tokens stored in decentralized wallets based on blockchain technology. Or maybe we’ll all carry FIDO keys wherever we go.

Despite the existence of safer methods of identity verification, even ones that are theoretically easier to use, passwords have managed to stick around long past their predicted end. And it seems likely that they’ll serve as the first step of login security for many years to come. Again, the reason is pretty simple: Think of the least tech-savvy person at your current job. Can you picture them successfully using a digital identity wallet or migrating passkeys to a new phone? Yeah, neither can I.

How Secure Is Multi-Factor Authentication?

How secure multi-factor authentication is in practice depends on how it is implemented on both a technical and organizational level. While the use of MFA is a vast improvement over basic authentication methods, it’s important to realize that not all MFA is the same. Here are a few things to keep in mind to make MFA as secure as possible:

  • 1

    Use different factors: A combination of different factors such as knowledge and possession offers the biggest security advantage. Using multiple factors of the same type (such as passwords and security questions) makes it easier for attackers to acquire the necessary information.

  • 2

    Secure storage & use: In order for MFA to keep you safe, users need to treat keys, tokens and login information with the necessary level of care. Storing your one-time use recovery code in a plaintext file on your desktop, for example, is not a good idea. If you use hardware tokens such as FIDO keys, it’s important to store them safely and maintain a detailed inventory.

  • 3

    Avoid weak factors: Not all MFA factors offer the same level of security. Security questions, for example, are considered a relatively weak form of authentication. This is because the correct answers are often easy to guess or research. Text-based MFA, likewise, is considered unsafe since the unencrypted messages can be intercepted or mobile phones taken over through SIM swapping.

Security vs. Usability

As the rate of account takeovers and identity-based attacks continues to grow, login security is becoming an increasingly important concern. While it’s understandable to respond to this trend by looking for the most secure method of verification, there are other factors to consider. As important as MFA is from a security perspective, it should not block business processes or drive users crazy.

Organizations that enforce MFA must strike the right balance between security and usability. This is for two reasons: First, restrictive safety measures can have a negative effect on productivity. If it takes your users forever to sign in to accounts, they have less time to focus on important tasks. Second, the more complex you make security controls, the bigger the temptation to circumvent them by writing down codes, asking coworkers to send credentials, etc.

MFA Vulnerabilities: How Hackers Bypass MFA

Although multi-factor authentication is a huge improvement over to basic login methods, it does not offer 100% security. In fact, no technology does. With MFA quickly becoming the de-facto standard for all sign-ins, cybercriminals are constantly searching for new ways to either break through multi-factor authentication (MFA hacking) or find a way to circumvent it (MFA bypass).

The methods hackers use to get around multi-factor authentication range from manipulation and social pressure, to exploiting technical flaws like zero day vulnerablities or using compromised devices to spy on the sign-in process. You’ll find an overview of the most common MFA attacks below.


Social Engineering

Social engineering attacks are intended to manipulate users into giving up sensitive information that can be used to take control of their account. This often takes the form of phishing mails that impersonate a legitimate service and ask the target to “verify” their personal data or link them to a fake login page.

To increase their chance of success, hackers create pressure by telling victims that inaction will have disastrous consequences. For example, phising emails may claim that “Your account is at risk!” and that “urgent action is required“.

MFA Fatigue attacks employ a different form of pressure by bombarding users with verification prompts until they confirm the fraudulent login out of frustration.


Spoofing & Fake Sites

By copying the official login page of a service, scammers hope to trick users into completing the MFA process on their behalf. This attack often begins with a phishing mail that links to a nearly indistinguishable copy of a familar website.

When a person enters their username and password, a script forwards the login information to the legitimate site and uses it reach the second stage of the login process. Once the site asks for a additional verification, the MFA prompt is copied and displayed on the fake site so the user can complete it.

After the user enters the necessary information, they are usually forwarded to another page citing some sort of technical issue. Meanwhile, the attacker uses the completed MFA prompt to sign into their account. Because the spoofed site acts as an intermediary between the account owner and the real site, this method is also known as a man-in-the-middle attack.


Recovery Attacks

Another vulnerability commonly exploited in MFA attacks is the fact that many services use weaker forms of identity verification for account recovery than they do for sign-ins. In many cases, all you have to do to disable MFA and reset the account password is answer a security question or provide basic personal data. These can be easily acquired with a bit of research.

Account recovery cannot rely on a person having access to their normal method of multi-factor authentication. After all, people do lose their mobile phones. But that doesn’t change the fact that less strict checks make the recovery process a potential security risk. This is also true on the user side if one-time use recovery codes are improperly stored. Finally, recovery attacks can also take the form of fraudulent phone calls to tech support.

Criminal making a scam call to customer support to disable MFA.
“Hi, I locked myself out of my account, could you reset the password for me?” Adobe Stock, (c) Elnur

Session Hijacking

By hijacking an active session, attackers can bypass the login process entirely and trick a service into thinking they already cleared it. For web-based applications, this requires stealing the session cookie used to identify a specific account. This can be achieved if attackers have access to the device the user logs in from or can somehow intercept network traffic. Cookie harvesting can be difficult to spot as it a relatively unobtrusive process that does not require elevated privileges such as admin access.

Once criminals have a stolen cookie, they can continue the active session on another device. The risk and potential damage of attacks like these can be limited by enforcing session timeouts and MFA challenges for changes to account settings. This has already become the standard for services such as online banking.

Enforcing Account Security with Identity Management

Many MFA vulnerabilities can be mitigated through the right countermeasures: phishing filters, session time-outs, time limits after failed login attempts. But even if your organization follows all recommendations and best practices for multi-factor authentication, you can never rule out a successful attack on an account in your network. Aside from technical exploits, the human factor alone makes total security impossible.

As part of their security strategy, organizations must also plan for the worst case scenario: What happens if an attacker manages to bypass login security? Which systems and applications are at risk if they gain access to one of your accounts? To minimize the risk and damage of cyberattacks, modern approaches to cybersecurity such as zero trust and least privilege are based on granting each user the least amount of access needed for their job.

To enforce this policy, companies must match each user’s access rights to their business role. That means permissions must be added, updated and removed whenever a user joins, leaves or takes on additional responsibilities. Of course, these changes not only have to be logged for future review, but also synced to every relevant application in your IT infrastructure: Active Directory, Microsoft 365, your HR software and other business-critical applications.

If the prospect of implementing all these changes manually is making your head spin: Don’t worry! The good news is that identity and access management solutions like tenfold automate the entire process of updating accounts and permissions (also known as user lifecycle management). This allows your IT staff to focus on more important tasks while maintaining a big picture view of your access landscape. Thanks to central permission reporting that breaks down data from all connected systems, you’ll always know who in your organization has access to what.

tenfold feature Overview

Watch Now: Fully Automated Account Management with tenfold

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.