How Two-Factor Authentication Stops Account Takeover Attacks

Passwords Alone Fail Billions of Times Per Year

Microsoft blocks approximately 1,000 password attacks per second against its infrastructure. The company's own research found that accounts without multi-factor authentication are 99.9% more likely to be compromised than those with it enabled. Yet as of 2024, only 28% of enterprise users had MFA configured on their accounts, and consumer adoption rates remain far lower.

The fundamental problem with passwords as a sole authentication factor is that they can be stolen without the user's knowledge — through data breaches, credential stuffing, phishing, or keyloggers — and then used from anywhere in the world. Two-factor authentication (2FA) addresses this by requiring a second proof of identity that an attacker is unlikely to possess even with the correct password.

The Three Factors of Authentication

Authentication factors fall into three categories, and multi-factor authentication combines at least two from different categories.

• Something you know: Passwords, PINs, security questions — memorized secrets that can be observed, guessed, phished, or leaked in data breaches
• Something you have: Physical tokens, smartphones, hardware security keys — possession-based factors that require the attacker to physically obtain the device
• Something you are: Biometrics — fingerprints, facial geometry, iris patterns, voice — factors that are inherent to the person and difficult to replicate remotely

True MFA requires factors from at least two different categories. A password plus a PIN is two-factor but both are "something you know" — a single phishing attack can capture both. A password plus a TOTP code from a smartphone app combines two different categories, meaningfully raising the attack cost.

2FA Methods Compared

Not all 2FA implementations offer equal protection. Understanding the technical mechanism of each method reveals why some can be bypassed and others cannot.

SMS-based OTP is the weakest form of 2FA. SIM swapping — convincing a carrier's customer service representative to transfer a phone number to an attacker-controlled SIM — bypasses it entirely. The FTC received over 1,400 SIM swap complaints in 2021, up dramatically from prior years. Real-time phishing proxies (AiTM attacks) intercept TOTP codes before they expire, bypassing time-based OTP as well.

How TOTP Works

Time-Based One-Time Password (TOTP), defined in RFC 6238, generates 6-8 digit codes that are valid for 30-second windows. During enrollment, the server generates a shared secret (a random 80-bit key) and transfers it to the user's authenticator app, typically via a QR code.

At login time, both the server and the authenticator app independently compute the current code using the same algorithm: TOTP = HOTP(secret, floor(current_time / 30)), where HOTP is an HMAC-SHA1 hash truncated to the desired digit length. Because both sides use the same secret and the same timestamp, they produce identical codes without any network communication. The 30-second window provides a brief usability buffer while limiting the value of intercepted codes to under a minute.

• Enrollment security: The shared secret must be stored securely on both the server and the device — if either is compromised, an attacker can generate future codes
• Backup codes: Most TOTP systems provide single-use backup codes for account recovery when the authenticator device is lost
• Clock synchronization: TOTP requires synchronized clocks; servers typically accept codes from adjacent 30-second windows to accommodate clock drift

FIDO2 and the Phishing-Resistant Standard

FIDO2 (Fast Identity Online 2) represents a fundamentally different authentication architecture. During registration with a website, the user's device generates a public-private key pair specific to that site's origin (domain). The private key never leaves the device. The public key is stored on the website's server.

At authentication time, the website sends a cryptographic challenge. The device signs the challenge with the site-specific private key and returns the signature. The server verifies the signature with the stored public key. Because keys are bound to specific origins, an attacker cannot redirect authentication to a fake website — a FIDO2 key for bank.com will not sign a challenge from phishing-bank.com. This origin binding makes FIDO2 inherently phishing-resistant in a way that OTP codes are not.

MFA Fatigue Attacks and Mitigations

Push notification-based MFA introduced a new attack vector: MFA fatigue. Attackers with stolen credentials repeatedly send push approval requests to the victim's phone, sometimes dozens of times per hour, until the victim accidentally approves or approves out of frustration. This technique was used in the 2022 Uber breach.

Mitigations include number matching (the push notification displays a number the user must match to what appears on the login screen), additional context in push notifications (showing login location and app), and limiting the number of push requests per time window before locking the account.

The trajectory of authentication is clear: the industry is moving toward FIDO2 passkeys as the default credential type. Apple, Google, and Microsoft committed in 2022 to expanding passkey support across their platforms. Passkeys are simultaneously more secure than passwords-plus-OTP and simpler to use — requiring only biometric verification on a registered device, with no codes to enter or capture.