Multi-Factor Authentication: Layers of Security Beyond Passwords
Multi-factor authentication requires multiple verification forms to grant access, stopping most credential-based attacks. Learn MFA types, how each works, and their relative strength.
The Password Problem
Passwords are a failed authentication mechanism. Not conceptually — a strong, unique password is cryptographically sound — but practically. People reuse passwords across services. They choose predictable patterns. Data breaches expose billions of credentials. Credential stuffing attacks systematically test stolen username-password pairs against other services. The result: a compromised password from a minor service breach can unlock accounts on banks, email providers, and corporate systems if the same credentials are reused.
Google's 2019 analysis found that multi-factor authentication blocks 100% of automated bot attacks, 99% of bulk phishing attacks, and 66% of targeted attacks — even when the attacker knows the user's password. This data makes MFA one of the highest-impact security controls available.
The Three Authentication Factors
Authentication factors are classified into three categories, each representing a fundamentally different way to prove identity. Multi-factor authentication requires presenting credentials from at least two different categories.
| Factor Category | Description | Examples |
|---|---|---|
| Something you know | A secret stored in memory or recorded | Password, PIN, security question answer, passphrase |
| Something you have | A physical object or cryptographic token | Hardware security key, smart card, mobile phone (for OTP), authenticator app |
| Something you are | A biometric characteristic intrinsic to the person | Fingerprint, facial recognition, iris scan, voice recognition |
A system requiring only a password and a security question uses two "something you know" factors — both can be defeated by the same attack (data breach). True multi-factor authentication combines different categories, so compromising one factor does not automatically compromise another.
Types of Second Factor: Compared
Not all second factors are equally secure. The landscape ranges from SMS-based codes (widely adopted, but vulnerable) to hardware security keys (highly secure but requiring hardware purchase and distribution).
| MFA Method | How It Works | Phishing Resistant? | Strength |
|---|---|---|---|
| SMS OTP | One-time code sent to registered phone number via text message | No | Weak — vulnerable to SIM swapping and real-time phishing |
| Email OTP | One-time code sent to registered email address | No | Weak — depends entirely on email account security |
| TOTP (Authenticator App) | Time-based one-time passwords generated by an app (Google Authenticator, Authy) using a shared secret and current time (RFC 6238) | No | Moderate — better than SMS; still interceptable in real-time phishing |
| Push notification | Authentication request sent to registered device; user approves or denies | No | Moderate — vulnerable to MFA fatigue attacks (repeated push spam) |
| FIDO2 / WebAuthn hardware key | Cryptographic challenge-response using public key cryptography; key is bound to specific origin | Yes | Strong — origin binding prevents phishing; no shared secret to steal |
| Passkeys (FIDO2 on device) | Device-bound or synced FIDO2 credential; biometric unlocks private key; no passwords | Yes | Strong — same cryptographic properties as hardware key; built into OS |
How TOTP Works
Time-based One-Time Passwords (TOTP), defined in RFC 6238, are the technology behind Google Authenticator, Microsoft Authenticator, Authy, and similar apps. During setup, the server generates a secret key and shares it with the authenticator app, typically via QR code. The app stores this secret securely on the device. To generate a code, the app applies an HMAC-SHA1 function to the combination of the shared secret and the current Unix timestamp (divided into 30-second intervals). The result is truncated to a 6- or 8-digit code. Because the server performs the same calculation and knows the same secret, it can verify the code without transmitting it.
The vulnerability of TOTP to real-time phishing is well-documented. An attacker's phishing site can prompt the user to enter their TOTP code and immediately replay it to the legitimate service — the 30-second validity window is sufficient. This attack was used in the 2022 Twilio breach that compromised Signal user phone numbers.
FIDO2 and Passkeys: Phishing-Resistant Authentication
FIDO2 (Fast Identity Online 2) is the most significant advancement in authentication technology in decades. During registration, the authenticator (hardware key or device) generates a public-private key pair unique to the specific website's origin (domain). The private key never leaves the authenticator. The public key is registered with the website.
During authentication, the website sends a challenge. The authenticator signs it with the private key. The website verifies the signature with the stored public key. Because the key pair is cryptographically bound to the specific origin, a phishing site on a different domain cannot receive a valid signed challenge — the authenticator simply will not respond to requests from unregistered origins. This origin binding is why FIDO2 is genuinely phishing-resistant in a way that OTPs are not.
- YubiKey (Yubico), Google Titan, Apple hardware security module (built into iPhones and Macs) are common FIDO2 authenticators
- Passkeys extend FIDO2 to device-based credentials that can be synchronized across devices via iCloud Keychain or Google Password Manager
- Apple, Google, and Microsoft all support passkeys natively as of 2022–2023
MFA Fatigue Attacks
The 2022 Uber breach demonstrated a novel social engineering attack against MFA: the attacker obtained Uber employees' credentials through phishing, then bombarded their phones with push notification authentication requests at all hours. When the employee finally answered one such push by phone call, the attacker — posing as Uber IT support — convinced them to approve the notification. The employee complied, granting access.
Countermeasures for MFA fatigue attacks include: number matching (push notification shows a number that must match what's displayed on the login screen), additional context in push notifications (location, application), and rate limiting on push notification requests. FIDO2 hardware keys and passkeys are completely immune to fatigue attacks because they require physical interaction with the authenticator.
Related Articles
cybersecurity
Endpoint Detection and Response (EDR): How Modern Threat Defense Works
An encyclopedic guide to Endpoint Detection and Response covering real-time monitoring, behavioral analysis, threat hunting, and how EDR platforms differ from traditional antivirus solutions.
10 min read
cybersecurity
How Antivirus Software Works: Detection Methods and Protection
Understand how antivirus software works, including signature-based detection, heuristic analysis, behavioral monitoring, and real-time protection mechanisms.
8 min read
cybersecurity
How Blockchain Consensus Mechanisms Validate Transactions
Blockchain networks use Proof of Work, Proof of Stake, and other consensus mechanisms to validate transactions without central authority. Compare their tradeoffs and energy costs.
9 min read
cybersecurity
How Cloud Security Misconfigurations Happen and How to Prevent Them
Misconfiguration is the leading cause of cloud data breaches. Learn how S3 buckets get exposed, IAM policies fail, and what the Shared Responsibility Model means for your security.
9 min read