Two-Factor Authentication May Fail You, but You Can Make It More Secure
Two-factor authentication (2FA) is a great way to improve the security of your accounts. But even with this extra layer of security, attackers still find ways to break in. So-called man-in-the-middle attacks use weaker authentication methods to access accounts. Your two-factor and multi-factor authentication (MFA) may be weak, but luckily, you can do something about it.
How multi-factor authentication works
MFA uses two or more checkpoints to verify a user’s identity to access an account or system. This is more secure than relying on a username and password combination alone, especially considering how easy many passwords are to crack and how many of them have ended up on the dark web . Passwords are often simple and repeated, so if a password is compromised, it can be used to access many accounts. This is why it is so important to use strong and unique passwords for each of your accounts.
A password is not enough for MFA. From here, the user must verify their login using at least one additional piece of evidence, ideally to which only they have access. This could be a knowledge factor (PIN), a possession factor (a code from an authenticator app), or an identification factor (a fingerprint).
Please note: although 2FA and MFA are often used interchangeably, they are not necessarily the same thing . 2FA uses two factors to verify a user’s login, such as a password plus a security question or an SMS code. When using 2FA, both factors can know something that the user knows, such as their password and PIN.
MFA requires at least two factors, and they must be independent: a combination of a knowledge factor, such as a password, plus a biometric identifier or a secure authenticator, such as a security key or one-time password. Generally, the more authentication factors required, the more secure the account is. But if all factors can be found on one device, security is compromised if that device is hacked, lost, or stolen.
MFA can still be compromised
While enabling MFA on your accounts can give you a sense of security, some MFA methods can be compromised almost as easily as your usernames and passwords.
As Ars Technica reports , some knowledge and ownership factors are themselves susceptible to phishing. Known as “man-in-the-middle” attacks, they target authentication codes such as those sent via SMS and email, as well as time-stamped one-time passwords from authentication apps, allowing hackers to gain access to your accounts using factors you unknowingly passed on to them.
The attack works like this: the attackers send you a message saying that one of your accounts – for example, Google – has been compromised, with a link to log in and block it. The link looks real, as does the page you are taken to, but it is actually a phishing link connected to a proxy server. The server forwards the credentials you entered to the actual Google site, which triggers a legitimate MFA request (and if you’ve set up MFA on your account, there’s no reason to think this is suspicious). But when you enter an authentication code on a phishing site or confirm a push notification, you inadvertently give the hacker access to your account.
Man in the middle is even easier to implement thanks to phishing-as-a-service tools available on online forums.
How to Maximize MFA Security
To get the most out of MFA, consider moving away from factors like SMS codes and push notifications to an authentication method that is more resistant to phishing. A better option is MFA based on WebAuthn credentials ( biometrics or passkeys ) stored on your device’s hardware, or a physical security key such as a Yubikey. Authentication only works on the real URL and on or near the device, making man-in-the-middle attacks virtually impossible.
In addition to switching your MFA method, you should also be wary of common phishing red flags. Like many phishing scams, MFA attacks are based on the user’s emotions or anxiety about having their account hacked, as well as a sense of urgency to resolve the problem. Never click on links in messages from unknown senders or respond to purported security issues without first checking their legitimacy.