Multi-factor authentication (MFA) is a security mechanism that requires users to present two or more independent authentication factors before granting access. The factors fall into three categories: something you know (password, PIN), something you have (phone, hardware token), and something you are (fingerprint, facial recognition).
How It Works
The most common MFA implementation combines a password with a one-time code. After entering their password, the user receives a time-based one-time password (TOTP) generated by an authenticator app, or a code sent via SMS or email. The server verifies both the password and the code before granting access.
Hardware security keys use the FIDO2/WebAuthn standard to provide phishing-resistant authentication. The key generates a unique cryptographic challenge-response for each site, bound to the site's origin. Even if an attacker tricks a user into entering their password on a phishing site, the hardware key refuses to authenticate because the origin does not match.
Push-based authentication sends a notification to a registered mobile device, asking the user to approve or deny the login attempt. Number-matching variants display a code on the login screen that the user must enter in the mobile app, reducing the risk of accidental approval.
Bypass Techniques
MFA is not immune to attack. SIM swapping transfers a victim's phone number to an attacker-controlled SIM card, intercepting SMS codes. Real-time phishing proxies relay credentials and MFA codes simultaneously, completing authentication before the code expires. MFA fatigue attacks bombard users with push notifications until they approve one to stop the alerts. Session hijacking after MFA completion bypasses the mechanism entirely by stealing the authenticated session.
Why It Matters
MFA dramatically reduces the risk of account compromise from stolen passwords. Even with widespread credential leaks, accounts protected by MFA remain secure against simple credential stuffing attacks. However, MFA implementations must be carefully designed to resist the evolving bypass techniques that attackers employ.
Need your application tested? Get in touch.