Did you know that MFA is hackable? What can you do about it?

A security layer beyond two-factor authentication (2FA), MFA is an identity verification method that stands for multi-factor authentication. By incorporating MFA, this extra security layer goes beyond credentials like usernames and passwords. It offers increased assurance that users are who they claim they are before giving them access to a network, online account (such as a bank account), or an app.

Multi-factor authentication is a critical part of identity and access management (IAM). It can help to reduce cybersecurity risks that include account takeover attacks, credential stuffing attacks, and cyberattacks that compromise personal data.

Before we can delve into how it’s possible to hack MFA, let’s look at how multi-factor authentication works.

Understanding how MFA works

Multi-factor authentication helps to verify the identification of an individual by asking them to provide a few types of information, also known as factors, to access an application or an account.

These factors fall into three categories.

  • Something you have. Also referred to as possession-based factors. This could include physical tokens such as your credit card, a key fob, and a mobile device. As these factors can store and receive login credentials, they are considered highly secure options over knowledge-based factors. The concern with using a possession-based factor as the sole authentication method is that they can be lost or stolen. They are also vulnerable to several cyberattack types. However, as a stand-alone factor, they provide a medium level of security.
  • Something you know. Also referred to as knowledge-based factors. This could include passwords, PINs, or the answers to your security questions. This information is considered to be easily guessed, easily lost, and often vulnerable to cybercriminals through social engineering and phishing attacks. As a stand-alone factor, a knowledge-based factor offers the least amount of assurance.
  • Something you are. Also referred to as biometric factors. These factors can provide the highest assurance level because they are unique to each user. This could include voice characteristics, facial features, fingerprints, or the iris. These factors don’t need to be stored or remembered. As a result, they are much less likely to be vulnerable to cybercriminals, which makes them the safest choice when it comes to multi-factor authentication. 

To ensure that multi-factor authentication is as strong as can be, it’s essential to use multiple factors, such as your smartphone and a PIN. A cybercriminal may get a hold of your PIN through phishing attacks, but it will prove a challenge for the attacker to get both your PIN and your smartphone. This boosts your levels of security.

Getting down to the hacking

Many organizations will tout the idea that MFA is near impossible to hack. The reality is that it’s not impossible. It is simply an added layer of protection that will make it more challenging for cybercriminals to hack. As we’ve mentioned previously, most cybercriminals are lazy. They want to find the vulnerabilities that can be easily exploited. They want to see the open window that will allow them to enter your home without much of a barrier.

MFA can be potentially overcome. With the determination of a cybercriminal who knows their way around the MFA solution that is being utilized.

Social engineering is a vital part of hacking MFA protections, as are technical attacks that focus on the MFA technology itself. Some of the attacks on MFA will incorporate a few methods and will be helped by vulnerable transitions between each of the linked steps in the process. These linked steps are identity, authentication, and authorization.

Some of the following attacks on MFA are effective and well-known. You may have even found yourself a victim of some of them.

  • Account or password recovery schemes
  • SIM swapping
  • Man-in-the-endpoint
  • SMS-based MFA attacks.
  • Network session hijacking

There are some in the cybersecurity field who believe that there are countless methods for cracking multi-factor authentication. Alarming as it may be, the truth is that there are plenty of benefits to be seen with the incorporation of MFA. In addition, there are also a number of options that can protect against MFA attacks.

Protecting against MFA attacks

Multi-factor authentication is considered to be the more secure option over other authentication options. So, it’s natural to wonder how it’s possible to defend against hacks on something that is already considered to be the more secure option.

Just one weak link can snap the chain

Protecting against a direct multi-factor authentication attack means first being aware that the attacks can and do happen. With understanding and knowledge, you will be better prepared to set a process in place that will help to defend against phishing and malware attacks and hacks.

Education is key. Employees and users should both be trained on how to recognize the underhanded tactics that cybercriminals can use to fool their potential victims into installing malware. Ensure that your vendors have robust policies and procedures to help prevent bad actors from tampering with systems and hardware.

User identity

Does your multi-factor authentication solution verify user identity alongside the authentication factor that is used to gain access to a system? In this case, it is possible that the user identifier can be potentially swapped out by a fraudster. This is most often referred to as being a subject hack, as it is the user’s user principal name (UPN) that is vulnerable to the fraudster.

Unless system and network admins know to look for and log UPN changes, this is a breach that can be difficult to track. It’s no secret that password authenticators need to be secured. However, we also need to keep in mind that the protection and monitoring of other authentication attributes are just as important. Neglecting to do so could open them up to being changed and exploited.

Hardware and malware hacks

If a fraudster can gain admin access to a user’s device, either through direct compromising of the hardware or through malware, it’s best to simply assume that all data on the device has now been compromised.

Some trojans are designed to simply sit quietly and monitor the browsing activity on a device. Once the trojan detects that the user is logging into a bank account, it will pop up a stealth browser session that the user can’t see. Once the user has gone through the MFA steps, the fraudulent discreet browser session now has access to the user’s bank account. From here, it can transfer money out at will. This is just one sample of what fraudsters are capable of once they have access to a device. Once cybercriminals have this level of device access, most MFA security steps won’t help at all with this type of control. This is a cybersecurity issue that needs to be handled with a more aggressive approach.


Above it all, it’s essential to be aware that MFA security does have the potential to be breached. With all security methods, you should be prepared for cybercriminals to snoop out vulnerabilities and take a swing at every one of the authentication factors you set into place. Moving forward with additional security measures to bolster each of the layers in your multi-factor system, such as enforcing a durable password security policy, can go a long way towards ensuring a robust cybersecurity strategy.


Do you need a more secure cybersecurity solution? ZenKey offers the robust authentication, verification, and fraud detection solution that your business needs, and your users deserve. Let's start a conversation.