Multi-Factor Authentication Explained
Multi-factor authentication (MFA) is a security method that requires users to verify their identity using two or more distinct factors before gaining access to an account, application, or system. The three recognized factor categories are something you know (a password or PIN), something you have (a phone, hardware token, or security key), and something you are (a biometric such as a fingerprint or facial scan). By requiring multiple factor types, MFA ensures that a compromised password alone is not enough for an attacker to gain access. CISA reports that enabling MFA makes users significantly less likely to have their accounts compromised.
Types of Multi-Factor Authentication
MFA implementations vary widely in both usability and security strength. The most common methods include:
- SMS and voice one-time passwords (OTP). A numeric code is sent via text message or voice call to the user's registered phone number. NIST SP 800-63B-4 classifies SMS OTP as a restricted authenticator because codes can be intercepted through SIM swapping, SS7 protocol vulnerabilities, or carrier-level social engineering.
- Authenticator apps (TOTP). Applications such as Google Authenticator or Microsoft Authenticator generate time-based one-time passwords locally on the user's device. These are more secure than SMS because the codes never traverse a network, but they remain vulnerable to real-time phishing through man-in-the-middle proxy attacks.
- Push notifications. The identity provider sends a prompt to the user's mobile device, which the user approves or denies. Push-based MFA is convenient but susceptible to MFA fatigue attacks, where attackers bombard the user with repeated prompts until one is approved. Number matching (requiring the user to enter a displayed code) mitigates this risk.
- Hardware security keys (FIDO2/WebAuthn). Physical keys such as YubiKeys use public-key cryptography bound to the specific domain of the service. Because the key's response is tied to the legitimate site's origin, it will not authenticate against a phishing page. CISA and NIST consider FIDO2 keys the gold standard for phishing-resistant MFA.
- Biometrics. Fingerprint scanners, facial recognition, and iris scans verify the "something you are" factor. Biometrics are typically used as a second factor alongside a device-bound credential rather than as a standalone authenticator, because biometric data cannot be changed if compromised.
- Passkeys (syncable authenticators). Passkeys use FIDO2/WebAuthn protocols but store the private key in a cloud-synced credential manager (such as Apple iCloud Keychain or Google Password Manager). NIST SP 800-63B-4 recognizes syncable authenticators as phishing-resistant when implemented correctly, offering cross-device support and simplified recovery compared to hardware keys.
Limitations of Multi-Factor Authentication
MFA is not a complete defense. Several attack techniques specifically target MFA-protected accounts:
Adversary-in-the-middle (AiTM) attacks. Reverse-proxy toolkits such as Evilginx and Modlishka sit between the user and the legitimate login page, relaying credentials and MFA codes in real time. Once the user completes authentication, the proxy captures the resulting session token. The attacker then uses that token to access the account without needing the MFA factor again. This is the primary weakness of all non-phishing-resistant MFA methods.
MFA bypass through session hijacking. Even after successful MFA, the authenticated session is only as secure as its token. Attackers who steal session cookies through malware, cross-site scripting, or token replay can access accounts without re-authenticating.
SIM swapping and carrier compromise. Attackers who convince a mobile carrier to transfer a victim's phone number to a new SIM card can intercept SMS-based MFA codes. This technique has been used in high-profile account takeover attacks against cryptocurrency exchanges and corporate executives.
Credential harvesting at scale. Phishing kits now routinely include AiTM proxy capabilities, allowing attackers to harvest both credentials and session tokens in automated campaigns. The combination of credential theft and MFA bypass has made identity and access management a critical layer for organizations that rely on MFA alone.
The shift toward phishing-resistant authenticators (FIDO2 keys and passkeys) directly addresses these limitations by binding authentication to the legitimate service domain, making proxy-based interception ineffective.
Related Terms
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.