How Multi-Factor Authentication Protects Accounts From Compromise

One Stolen Password Away

In 2021, the Colonial Pipeline ransomware attack — which shut down fuel supplies across the U.S. East Coast and cost the company $4.4 million in ransom — was traced to a single compromised VPN password with no multi-factor authentication protecting it. That one credential, likely purchased on a dark web marketplace for a few dollars, caused a national infrastructure crisis. The incident crystallized an uncomfortable truth: passwords alone fail spectacularly as a security mechanism, and multi-factor authentication (MFA) represents the single most effective widely available defense.

The Authentication Factor Framework

Authentication factors fall into three categories, each with distinct security properties:

• Something you know: Passwords, PINs, security question answers. Stolen via phishing, data breaches, or guessing. The weakest category in isolation.
• Something you have: A phone with an authenticator app, a hardware security key, a smart card. Requires physical possession, making remote attacks far harder.
• Something you are: Biometrics — fingerprint, face geometry, iris scan. Convenient but not fully revocable if compromised.

MFA requires at least two of these categories simultaneously. Even if an attacker steals your password, they lack your phone or hardware key.

TOTP: Time-Based One-Time Passwords

The most widely deployed MFA method generates six-digit codes that change every 30 seconds. This is TOTP, standardized in RFC 6238. During setup, the service generates a shared secret — a random 80-bit key — that the user stores in an authenticator app like Google Authenticator, Authy, or Microsoft Authenticator. The app and server both compute: HOTP(secret, floor(current_time / 30))

Since both sides know the secret and the current time window, they independently generate the same six-digit code. An attacker intercepting the code in transit gets 30 seconds to use it before it expires. TOTP has no server communication during code generation — the entire process is offline and mathematically symmetric.

Push Notifications

Services like Duo Security and Microsoft Authenticator offer push-based MFA: after entering a password, the user receives a push notification on their phone asking them to approve or deny the login. This is more usable than typing a code but introduces phishing risks through MFA fatigue attacks — bombarding a user with approval requests until they tap "approve" by mistake to stop the notifications. In September 2022, an Uber contractor fell victim to this exact technique, giving attackers access to Uber's internal systems.

Hardware Security Keys

Physical hardware keys, most commonly using the FIDO2/WebAuthn standard, provide the strongest commonly available protection. The YubiKey 5 series and Google's Titan Key are the most widely used examples.

During authentication, the server sends a cryptographic challenge. The key signs the challenge using a private key stored in tamper-resistant hardware that never leaves the device. The server verifies the signature against the registered public key. Crucially, each site gets a unique key pair — credential stuffing across sites becomes impossible. The signing also binds the authentication to the specific website origin, making phishing attacks completely ineffective: a fake login page cannot obtain a valid signature for the real site's challenge.

SMS-Based MFA: The Weakest Link

SMS one-time passwords remain the most common MFA implementation despite being the least secure. The cellular network's SS7 protocol, designed in 1975, has known vulnerabilities that allow sufficiently resourced attackers to intercept SMS messages. SIM swap attacks — where attackers convince a carrier to transfer a victim's phone number to an attacker-controlled SIM — have drained cryptocurrency wallets and bypassed account protections at major banks.

The U.S. National Institute of Standards and Technology (NIST) deprecated SMS-based OTP as an authentication method in its 2016 Digital Identity Guidelines (SP 800-63B), calling it "restricted." Despite this, most consumer services still offer it as the only MFA option because it requires no app installation and has high adoption rates.

Passkeys: The Password-Free Future

Passkeys, standardized under FIDO2/WebAuthn and commercially launched by Apple, Google, and Microsoft in 2022–2023, extend hardware key principles to device-native authentication. A passkey is a cryptographic key pair where the private key lives in the device's secure enclave (Apple's Secure Enclave, Android's StrongBox). Users authenticate with biometrics — Face ID, fingerprint — locally, and the device signs the server challenge using the stored private key.

Passkeys sync across devices through cloud keychain (iCloud Keychain, Google Password Manager), solving the hardware key's single point of failure problem. Google reported in 2024 that passkeys were used for more than 800 million accounts, with authentication completing in an average of 14.9 seconds — faster than password entry.

Effectiveness in Practice

Google's internal analysis of its own employee deployments found that requiring hardware security keys for all employees eliminated successful phishing attacks on company accounts to zero for the studied period — down from a meaningful number of successful compromises annually. Microsoft data published in 2021 showed MFA blocked 99.9% of automated credential-stuffing and password-spray attacks. The protection is not theoretical. It is measurable and large.

The gap between phishing resistance and vulnerability is the key reason security professionals recommend hardware keys or passkeys over TOTP for high-value accounts. For the vast majority of users, however, any MFA — even SMS — is vastly better than none.