This article is brought to you by Aura.
Watch the video to see how we protect you online.
This article is brought to you by Aura. Watch the video to see how we protect you online.
Start Free Trial
4.7 stars on Trustpilot
Close Button
What is Aura? (1:10)

Does Two-Factor Authentication Prevent Hacking?

MFA is not a silver bullet, but it’s far more effective than a password-only authentication method. In conjunction, also use a VPN, password manager.

MFA is not a silver bullet, but it’s far more effective than a password-only authentication method. In conjunction, also use a VPN, password manager.

Illustration of a speech bubble with a key inside; shown to be emerging from both a laptop and phone

Aura’s app keeps you safe from scams, fraud, and identity theft. Try Aura for free.

4.7 stars as of March 2024

In this article:

    In this article:

      See more

      Aura’s digital security app keeps your family safe from scams, fraud, and identity theft.

      See pricing
      Share this:

      Does Two-factor and Multi-factor Authentication Still Work?

      The short answer is yes. Multi-factor authentication (MFA) can immediately fortify your accounts without requiring a litany of steps on your end.

      Its success has made it one of the most widespread authentication methods around. Nine out of ten IT administrators use it because they know multi-factor authentication works [*].

      However, MFA doesn’t guarantee protection against every type of threat. Hackers find ways to bypass MFA with disturbing tenacity; and worse still, not all MFA methods are equally secure.


      Why you should secure your accounts with MFA

      Setting up MFA on your online accounts is always better than relying entirely on passwords. With password-only authentication, anyone who learns your login credentials can access your account. Every additional authentication factor is another stumbling block between hackers and your identity.

      But there are many different MFA options, and not all of them offer the same degree of protection. Some MFA methods you may be familiar with include:

      • Push notifications
      • Universal second factor (U2F) keys
      • Time-based one-time passwords (TOTP)
      • In-device biometrics

      Some two-factor authentication methods are more susceptible to cyberattacks than others. For example, Uber reported a data breach that involved MFA push notification spamming in September 2022 [*]. All it took was a single user accidentally accepting an MFA request from an unrecognized login.

      ⚠️ Is your information on the Dark Web? Aura scans billions of data points across the internet, Dark Web, public records, and more to alert you if your identity, accounts, and finances are at risk. Try Aura’s privacy protection plans for as low as $3/month.

      How Do Hackers Get Past MFA?

      Some forms of MFA are easier to bypass than others. As of 2023, only 4% of the workforce uses phishing-resistant MFA methods [*]. These methods employ public-key infrastructure (PKI) to generate security keys with an extra layer of protection.

      FIDO2 is a good example of phishing-resistant MFA. It hefts cryptographic key pairs to the authentication process. Once that key is associated with secure biometric data — like your fingerprint — it becomes much more secure than a simple push notification or text message.

      Some MFA methods have known vulnerabilities and may be affectations in the event of an actual breach. Here are some examples of how hackers have overcome MFA security in high-profile data breaches:

      1. Using malware to hack one-time-password (OTP) seeds

      Mobile authenticator apps generate a one-time password seed that matches an MFA response. Hackers can circumvent MFA by attacking your mobile device and compromising these seeds created by your authenticator app [*].

      When this happens, it’s usually because the user has a rooted or jailbroken phone that allows apps to escalate their own privileges. Jailbroken smartphones don’t heed any additional security measures. 

      Malicious apps on such devices can easily excise authentication codes and sensitive data. Older Android mobile phones and models that don't receive updates are especially susceptible to this type of attack.

      2. SIM swapping attacks that target OTPs

      If hackers impersonate you to buy a new SIM card, they can install that SIM card onto a new device and lock you out of your own. If they can also access one of your accounts with MFA enabled, they can intercept your OTP and log in.

      This is exactly what happened when Lapsus$ began targeting high-profile tech companies like Nvidia, Microsoft, and Samsung in 2022 [*]. Attackers hijacked their targets’ accounts by performing fraudulent SIM swaps and using compromised devices to beat MFA security.

      3. MFA fatigue

      MFA fatigue happens when attackers spritz users with MFA push notifications. This kind of a “push bombing” attack works by wearing down the target’s resistance over time.

      In some cases, attackers also use SMS messages, phone calls, and emails. Eventually, the target is exhausted and accepts a login request. Even if this happens by accident, it gives hackers enough time to gain unauthorized access.

      4. Phishing kits that spoof website login pages

      Phishing kits allow hackers to run automated phishing attacks on well-known companies and websites. This is what a group of hackers did when they targeted Twilio and other organizations in 2022 [*]. 

      The attack used SMS phishing to send victims to a spoofed Okta login page. The page asked users for their login credentials and MFA codes.

      Instead of logging them in, the spoofed page sent the data directly to threat actors. They immediately logged in and began stealing customer data.

      5. Enrolling new devices, and disabling MFA entirely

      Starting in May 2021, the FBI caught Russian government-affiliated cybercriminals bypassing MFA by enrolling new devices on compromised accounts [*].

      First, they used brute force methods to muscle into user accounts. They then added a new authentication device to the accounts and logged in by using regular MFA.

      From there, they exploited a “PrintNightmare” vulnerability for administrator privileges. As a result, the MFA service could no longer reach its servers to validate a login.

      6. Adversary-in-the-middle (AiTM) attacks

      AiTM attacks — also called man-in-the-middle attacks — work by manipulating the way websites and applications keep track of your identity.

      Modern web services use cookies to keep track of users; by doing so, they don’t have to authenticate you on every page. In an AiTM attack, hackers steal your session cookies after you’ve logged in and pretend to be you.

      This requires setting up a spoofed website that looks exactly like the site you wish to visit. That spoofed website then acts as a proxy between you and the original website, allowing attackers to access all of the data you share.

      7. Infostealer malware

      Infostealers are a type of malware that scans for login credentials, authentication tokens, and other valuable pieces of data. They often look for credentials stored in browsers and other apps. Some sophisticated infostealers can zero in on the cryptographic components that support MFA.

      This is what happened during the 2020 SolarWinds attack [*]. Hackers had already compromised a smaller part of the organization’s systems and used an infostealer to burrow into its network.

      8. Exploiting MFA misconfigurations

      MFA is just one cog within most cybersecurity systems. This system must also include procedures for people who enroll new devices or lose their authentication credentials.

      These same procedures can leave the door open for attackers. For example, some websites allow users to register new phone numbers when they lose access to an old one.

      If hackers know your password, they may be able to bypass your MFA protection entirely by registering a new phone number and choosing SMS authentication. This is how a security researcher bypassed MFA on his account — by accident [*].

      9. Signal System 7 (SS7) attacks

      In February 2024, at least 100 Payoneer users located in Argentina woke up to find their accounts pilfered by hackers [*].

      Many of the victims had SMS-based MFA enabled on their accounts and shared the same mobile service provider. The evidence suggests that hackers exploited a telephone signaling protocol called Signal System 7 to eavesdrop on text and voice communications.

      SS7 is a telecom protocol that was developed in 1975 and is still in use today. It has remained largely unchanged since then, making it a sitting target for hackers. Similar attacks were also used to spy on the White House as far back as 2018 [*].

      10. Social engineering

      Hackers can also use social engineering tactics to carry out tech support scams that bypass MFA. In August 2023, Russian government-linked attackers set up domains and accounts to impersonate Microsoft tech support [*].

      The hackers approached Teams users in chats to have the users approve MFA prompts. If the user entered the passcode into the Microsoft Authenticator app, the hacker received a token to log in as the user.

      Types of MFA and How They Work

      Beyond a PIN number or password (something you know), MFA also asks for:

      • Something you have — such as an authentication code from an app like Authy.
      • And something you are — a fingerprint or face scan.

      Below are some of the different types of MFA methods and how they work [*].

      Phishing-resistant MFA
      Uses public-key infrastructure or FIDO2 protocols to protect sensitive accounts. Provides very strong security when combined with fingerprints or facial recognition.
      • Resistant to phishing attacks.
      • Immune to attacks that rely on SIM swaps, SS7 exploits, and push bombing.
      App-based authentication with one-time password
      Generates a verification code only accessible through a specific authenticator application like Google Authenticator.
      • Vulnerable to phishing attacks.
      • Resistant to push bombing attacks. SS7 attacks and SIM swaps aren’t applicable.
      App-based authentication with token-based OTPs
      Generates an OTP code only after the user proves that they have a hardware token. Provides an extra layer of security against malicious login attempts.
      • Same as above.
      Mobile push notification with number matching
      Generates a notification prompt that the user must approve. The user must enter a numeric code before accessing the notification.
      • Same as above.
      Mobile push notification without number matching
      Generates a notification prompt that the user must approve. Any user who receives the notification can approve.
      • Vulnerable to phishing attacks, push bombing, and accidental error.
      • Immune to attacks that use SS7 and SIM swaps.
      SMS or voice authentication
      Generates a code and sends it to the user’s phone or email account, with no additional verification.
      • Vulnerable to phishing, SS7, and SIM swap attacks.
      ⛑️ Protect your online accounts, identity, and privacy — with a single app. Aura combines identity and fraud protection with advanced digital security, 24/7 support, and up to $1 million in insurance coverage. Plans start at $3/month.

      Where MFA Alone Can’t Help, Aura Can.

      The best MFA option is PKI-based FIDO MFA, but it tends to be expensive and hard to manage. App-based MFA offers decent security without the vulnerabilities seen with SMS MFA.

      MFA is not a silver bullet, but it’s far more effective than a password-only authentication method. On top of MFA, also consider using:

      • Password managers. You still need to have strong passwords for every account you use. Aura’s password manager lets you create and save unique passwords for each account as you browse and auto-sync across devices.
      • VPNs. Virtual private networks encrypt your traffic online so that websites, advertisers, and hackers can’t track your activity.
      • Antivirus and antimalware tools. Aura’s antivirus software scans every new file on your device for hidden malware.
      • Data broker removal. Aura scans known data broker and people search sites, lodging automatic requests to remove your data on your behalf.

      Aura’s privacy-first plans focus on device security with identity and financial fraud protections. When billed annually, these plans start as low as $3 per user per month.

      Data broker removal, password manager, VPN, and more. See all Aura Privacy plans.
      Need an action plan?

      No items found.

      Award-winning identity theft protection with AI-powered digital security tools, 24/7 White Glove support, and more. Try Aura for free.

      Related Articles

      Does a VPN protect you from hackers? (Illustration)
      Internet Security

      Does a VPN Protect You From Hackers? What To Know

      A virtual private network (VPN) alone won’t keep you safe from hackers and online scammers. Learn how to protect yourself from online threats.

      Read More
      February 15, 2024
      How do hackers get passwords: Header image
      Internet Security

      How Do Hackers Get Passwords? (And How To Stop Them)

      Learn about the warning signs of password cracking, how hackers get passwords, and how to protect your online accounts from cyberattacks.

      Read More
      January 5, 2024

      Try Aura—14 Days Free

      Start your free trial today**