Is multifactor authentication becoming less effective?

Multifactor authentication(MFA) has been considered to be the go-to security recommendation for organizations and individuals to protect themselves.

Multifactor authentication(MFA) has been considered to be the go-to security recommendation for organizations and individuals to protect themselves. As it is said, it is considered to be confirming identity of the user who is trying to log in to their account, serving as an additional layer of security. Confirming the identity in different methods is what we refer to as “factors”.

Types of Authentication Factors

There are several types of authentication factors that are used which also includes:

  • Knowledge factor: This factor requires the user to enter something that they should know in order to get themselves authenticated such as One-Time Passwords(OTP) that are generated. Other examples for this factor includes the set security questions or Personal Identification Number(PIN) codes.
  • Possession factor: This factor requires the user to possess something that has been set as a requirement to be authenticated, the examples for this factor includes of a mobile phone that receives push notifications to be authenticated, a hardware-based One-Time Password(OTP) generator.
  • Inherence factor: This factor authenticates the user based on the attributes that are unique to each user such as fingerprints or thumbprints.
  • Location factor: This type of factor restricts the authentication of users based on the geographical location that can be retrieved. For example, a company setting up a network for its employees based in a small city doesn’t need to authenticate anyone who’s trying to log-in entirely from a different country or region.

Brute-force/Dictionary attacks

Multifactor Authentication(MFA) protected against dictionary and brute-force attacks unlike messing up with password length and complexities. Brute-force or dictionary attacks are when a common combination letters and numbers is used to guess a password in an automated manner. This is where MFA stepped in to protect us from complicated phishing attacks reducing risks. If an attacker managed to trap someone into letting their login credentials out, the attacker just had to copy-paste the login details. Thanks to MFA, the attackers even with the correct login details were required to prove identity with set “factors”.

The common factors that were used included of receiving a One-Time Password(OTP) on authorized devices that were used for verification. For an attacker, they would need to gain access to such authorized device to finally make use of the login details they stole.

During this time, MFA has been widely adopted and every one of us would be using it through some app or service that we’re using in our routine. The adoption has been quick because MFA is considered to be effective to protect us against phishing attacks and other account takeover attacks.

Evolvement of Threat Environment

However, online threats have been evolving rapidly with time which is why the threat environment has evolved along with it. That makes it important for us to stay a step ahead and implement the recommended so called “best security practices” as they have been protecting us for a while.

According the new data by Google, it seems that MFA has been losing its effectiveness in protecting us over time. This doesn’t mean that MFA is flawed or comprises of a vulnerability or that you should disable it. It simply means that attackers might have been changing their attack methods too, getting past the MFA security barrier.

The recent research published by Google provides us with an overview with its multifactor authentication’s expansion, significantly protecting with over 150 million users in the past year but has only reduced account compromises by 50%.

The numbers stated sound impressive but when compared with the last research they published in 2019, three years back, it tells us there’s a problem. In their previous research, the SMS-based multifactor authentication enabled for its users, through which the users receive a generated one-time password over SMS, managed to successfully block 96% of phishing attacks, 76% of targeted attacks and 100% of the bots. Whereas the other factor they provided their users with, an on-device login prompt, successfully blocked 99% of phishing attacks, 90% of targeted attacks and 100% of the automated bots.

Possible Causes

The differences that can be seen between 2019 and 2022 for the Google’s multifactor authentication includes Google “auto-enabling” its multifactor authentication feature in 2021 for more than 150 million of its users. However it is unclear that the “auto-enabling” was done with considering SMS as the factor for verifying user’s identity as the second step or the on-device prompt.

Although Google did provide us with data on how effective each of the factor for multifactor authentication was but we’re still unaware of the amount of users that opted for each of the factor. The other reason for its effectiveness’s decline could be that more of the users could have been relying on receiving their one-time passwords through SMS, which has been considered less secure to be used as authentication. SMS authentication has witnessed different attacks, letting attackers opt for sim swapping, intercepting text messages through numerous methods.

Another notable difference is that in 2019, the research states that multifactor authentication successfully prevented 350,000 real-world account hijack attempts which is quite impressive. For some reason we can believe that 2019 onwards, the hijack attempts has drastically increased while the account compromises were low during that period.

Reevaluating our “best practices”

This serves as a reminder that the “best practices” that are considered and accepted should be reevaluated in order to see through the progress it has made, helping us make better and informed decisions regarding the security. Multifactor authentication undoubtedly has been recommended and widely adopted by experts and professionals, including individuals which now seems to have been less effective over the years. The reasons for its decline might be different, with the threat landscape changing the attackers constantly look for other ways to get past the additional security layers implemented but this seems like they finally have managed to get past over it.

Multifactor authentication bypassed?

1. Session Hijacking

Whenever we’re able to authenticate ourselves on a website using any verification method, the authenticated login session is maintained through saving a “session ID” in the the browser cookie by the browser itself. This is used by the browser to let us stay logged in to the website for defined session. However, imagining the attack methodologies, if an attacker is able to steal your browser cookies that means the attacker now has access to the “session ID” that was stored by your browser. The stolen cookies could be used by the attacker to trick the websites into believing that they already have been authenticated and hence this bypasses and takes multifactor authentication out of the frame totally.

Cross-site Scripting is the kind of vulnerability, when exploited it lets an attacker steal your browser cookies by their malicious JavaScript attack vector. Although the vulnerability itself doesn’t seem that critical but it’s exploitation speaks for itself.

2. Social Engineering

Social Engineering is exploiting the human resources in order to get privileged information revealed from them. This type of attack method is most commonly used to target individuals and organizations. Although it sounds simplistic, it can become a lot more complicated hence a challenge for the detection systems to prevent it.

A recent example of a successful phishing attack was that an attacker successfully hacked into Dropbox’s GitHub account and accessed their 130 code repositories.

This is relatively a newer type of phishing that has been seen. Open Authorization(OAuth) has been widely adopted and used to authenticate users based on their user accounts on a lot of services, the most famous example is linking Google account anywhere to easily signup or log-in to other third-party apps and websites.

In this scenario, an attacker setups a legitimate looking signup/login page that links the victim’s Google account with the access privileges the attacker requires from the victim and hence can completely takeover the account without going through the hassle of multifactor authentication.

4. Generated Tokens Exploitation

There are a lot of authenticator apps that are widely used such as Google Authenticator, Microsoft Authenticator, Authy etc. These authentication apps always do provide its users with backup codes that are usually generated at the time of the user registration so that the user does not lock their account up in case of not being able access their mobile phone.

These generated backup codes are most of the times are digitally saved by the user in an unsecured manner, this can be a risk as an attacker can steal those and result in taking over the account.

Tips to Strengthen Multifactor Authentication

We have so far discussed the possibilities through which the attackers can get past the multifactor authentication security layer that has been added but there are certain tips to strengthen its effectiveness as well.

  • Using OTP codes with a longer combination of alphanumeric characters with lower and uppercase characters as well, increasing the code’s complexity.
  • Using biometric factor for at least one of the factors that are implemented.
  • Using a unique password, never reuse the same passwords. Leaked passwords are often used as common dictionaries for brute-force attacks.
  • Avoiding SMS based authentication factors, they are considered to be one of the weakest factors.
  • Restricting the number of login attempts for multifactor authentication, rate-limiting is effective to eliminate guesses.
  • Restricting the usage of apps and services that are not trusted, consent phishing eliminates multifactor authentication completely hence should be avoided at all times.
  • Conducting cybersecurity awareness training sessions so that users are trained to keep themselves safe from the modern social engineering attacks that specifically targets the human resources and exploits them.


Everyone repetitively mentions threat environment evolving and attackers looking for newer methods to bypass the current implemented security controls but more importantly, it helps us realize that the set standard or the “best practices” often are good to be implemented but requires frequent checks. Otherwise, the implemented security controls would most likely be only 50% effective over the time.

Have anything to share? Share it in comments or contact us.

Leave a Reply

Your email address will not be published. Required fields are marked *