Flaws Inherent to Multi-Factor Authentication (MFA) Beware!

image of safe - two-factor-authentication-security-flaw

Important things to acknowledge about 2FA

Tools like NecroBrowser and Muraen are not the only threats to MFA practices. The Federal Bureau of Investigation has warned about such tools and techniques as SIM swapping. In a Private Industry Note (PIN) sent by the FBI last September, they announced that they had observed hackers and cybercriminals circumventing multi-factor authentication by using social engineering techniques and technical attacks.

Photo by Jason Dent on Unsplash


The following recent incidents of multi-factor authentication bypass should be a reminder that there are multiple ways of bypassing MFA protections, including SIM swapping, and transparent proxies like Muraen and NecroBrowser.

MFA is Effective and Should be Used

The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.

READ MORE: Complex and Unique Passwords

Instead, the FBI wants users of MFA solutions to be aware that cyber-criminals now have ways around such account protections.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more.

“Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks,” the FBI said.


Despite the rise in the number of incidents and attack tools capable of bypassing MFA, these attacks are still incredibly rare and have not been automated at scale. Last week, Microsoft said that attacks that can bypass MFA are so out of the ordinary, that they don’t even have statistics on them.

In contrast, the OS maker said that when enabled, MFA helped users block 99.9% of all account hacks.

Back in May, Google also said a similar thing, claiming that users who added a recovery phone number to their accounts (and indirectly enabled SMS-based MFA) improved their account security.

“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” Google said at the time.

All in all, MFA is still very effective at preventing most mass and automated attacks; however, users should be aware that there are ways to bypass some MFA solutions, such as those relying on SMS-based verifications.

Instead, users should choose a stronger MFA solution that is not vulnerable to social engineering tricks like SIM swapping, or transparent proxies that can intercept the MFA token.

On this page, a Microsoft security engineer analyzed how various MFA solutions fare against MFA-bypass attacks. The solutions listed at the bottom of the table are the strongest.

What is Social Engineering?

First of all, it is the #1 weapon used by malicious actors and cybercriminals. It is based on trust or the violation of trust. It involves a certain level of manipulation combined with persuasiveness. It is a method to trick someone into revealing valuable information that leads to the benefit of the criminal.

What is the Best Method of Multi-Factor Authentication?

Multi-factor authentication can be accomplished in several ways. One method is to use a YubiKey. It is effective but not appropriate for all applications. A very reliable and safe method is to use an authentication app on your phone that stores no sensitive information and can be restored if your phone is lost or stolen. The app I use is called Authy. It’s a free app and has many instructional tutorials to assist in using it.

Exit mobile version