Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

How MFA can be hacked

by Sevan Sarkhoshian , Senior Technical Security Advisor
Published

Don’t let MFA lure you into a false sense of security

Multi-factor authentication (MFA) represents a significant improvement over single-factor authentication, adding an extra layer of security that has become standard practice across industries. It’s become so popular that many organizations and individuals believe implementing MFA makes their accounts nearly impenetrable to attackers. After all, even if someone steals your password, they would still need access to your phone or authentication device to gain entry, right?

Unfortunately, this sense of security can be misleading. While MFA does substantially raise the bar for attackers, it is not foolproof and can be bypassed by sophisticated threat actors using the right tools and techniques. As a result, understanding the vulnerabilities inherent in various MFA implementations is crucial for organizations looking to implement truly effective security measures rather than simply checking a compliance box.

Exploiting vulnerabilities in traditional MFA methods

Traditional MFA methods, while certainly better than passwords alone, contain inherent weaknesses that skilled adversaries can exploit. These vulnerabilities exist not necessarily because of poor implementation, but rather due to fundamental limitations in how certain authentication mechanisms function. Let’s examine the most common attack vectors against traditional MFA solutions and how they can be compromised.

SMS-based MFA weaknesses

SMS-based MFA remains one of the most widely adopted forms of multi-factor authentication due to its simplicity and low implementation cost. However, it’s also one of the most vulnerable methods available today.

The primary vulnerability comes in the form of SIM swapping attacks. In these scenarios, attackers use social engineering tactics to convince mobile carriers to transfer a victim’s phone number to a new SIM card controlled by the attacker. Once successful, all SMS messages—including one-time passwords for MFA—are directed to the attacker’s device instead of the legitimate user’s phone. This effectively neutralizes the protection that SMS-based MFA is supposed to provide.

Interception of one-time passwords (OTPs)

Even more secure MFA methods using authenticator apps that generate time-based one-time passwords (TOTPs) aren’t immune to attacks. Sophisticated man-in-the-middle phishing tools like Evilginx can intercept these OTPs in real-time as they’re being used.

We’ll go into more detail below, but Evilginx functions as a proxy between the victim and the legitimate authentication service. When a user enters their MFA code on what appears to be a legitimate login page, Evilginx captures this code and simultaneously uses it to authenticate with the real service. 

Other potential weaknesses and attack vectors against MFA

These additional methods exploit various aspects of authentication systems beyond just capturing codes during login attempts. From targeting established sessions to manipulating users through social engineering, these attack vectors demonstrate that MFA vulnerabilities extend beyond the initial authentication process itself.

1. Evilginx

Evilginx deserves special attention as it has emerged as one of the most powerful tools specifically designed to bypass MFA protections. Understanding how it works illustrates the sophisticated nature of modern phishing attacks.

Evilginx is a man-in-the-middle phishing tool that enables attackers to bypass security mechanisms, including multi-factor authentication. It acts as a proxy between the victim and the legitimate site, allowing attackers to intercept credentials and MFA tokens in real time. In other words, Evilginx sits between the attacker and the victim, transparently capturing and relaying information to the legitimate website while stealing it along the way.

The attack flow typically follows this pattern:

  1. The victim receives a phishing email containing a link that appears to lead to a legitimate service (like Microsoft 365, Google Workspace, or a corporate VPN).
  2. When clicked, this link takes the user to a convincing replica of the legitimate login page, which is actually controlled by Evilginx.
  3. The victim enters their username and password, which Evilginx captures and simultaneously forwards to the legitimate site.
  4. When the legitimate site prompts for MFA, this request is passed through to the victim, who then enters their second-factor code.
  5. Evilginx intercepts this code and forwards it to the legitimate site in real-time, completing the authentication process.
  6. The attacker now possesses both the credentials and a valid authenticated session, while the victim is typically redirected to the legitimate site and remains unaware that their account has been compromised.

What makes Evilginx particularly effective is that it works for virtually any service that uses cookie-based authentication, which includes most major web platforms and services. The victim has no obvious indication that their session has been hijacked, as they ultimately end up at the legitimate site they intended to visit.

2. Phishing for session cookies

Even with MFA properly implemented, attackers can bypass repeated authentication requirements by stealing active session cookies. Once a user has successfully authenticated with MFA, many systems create a session cookie that keeps the user logged in for hours or even days.

If an attacker can steal this cookie—using tools like Evilginx or other session hijacking techniques—they can inject it into their own browser and immediately gain access to the victim’s authenticated session without ever needing to provide credentials or complete the MFA process themselves. 

3. Malware

Sophisticated malware installed on a victim’s device can capture not just keystrokes for passwords but also intercept MFA codes as they’re entered or even extract session tokens directly from the browser’s memory or storage. Some advanced malware can even establish a remote connection that allows attackers to piggyback on a legitimate user’s authenticated session.

4. Social engineering

While the technical aspects of MFA bypass are impressive, it’s important to remember that social engineering remains the critical first step in most attacks. Convincing a victim to click a phishing link or install malicious software typically requires psychological manipulation, whether through urgent security alerts, fake login pages, or impersonation of trusted colleagues.

Mitigating the risk of MFA bypass

Now that we’ve examined the various ways attackers can circumvent traditional MFA, the question becomes: how can organizations protect themselves against these sophisticated tactics? 

While no security measure is completely impervious to attack, several approaches can significantly reduce the effectiveness of MFA bypass attempts. By implementing phishing-resistant authentication technologies and combining them with strong security policies and user education, organizations can build a more resilient defense against even the most determined adversaries. 

Let’s explore some of the most effective strategies for strengthening security beyond basic MFA implementations.

  • Certificate-based authentication binds digital identities to cryptographic certificates installed on specific devices. This significantly raises the difficulty for attackers, as they would need physical access to the device rather than just intercepting codes or tokens.
  • Hardware security keys like YubiKeys implement protocols such as FIDO2/WebAuthn that validate the legitimacy of the website before submitting authentication information. This helps prevent phishing attacks since the key will refuse to authenticate with a fake site, even if it looks identical to the legitimate one.
  • Conditional access policies that consider factors like device health, geographic location, and network characteristics when determining access permissions can be implemented across industries. This ensures that even if credentials and MFA are compromised, access might still be denied if other risk factors are detected. However, this is also a Microsoft-specific solution.
  • User training is essential, as technical controls alone are insufficient. Users must be trained to recognize sophisticated phishing attempts, understand the importance of verifying website URLs, and know the proper procedures for reporting suspicious activities.

While multi-factor authentication significantly improves security posture, it is not an infallible solution. As we’ve seen, determined attackers with the right tools can bypass MFA through various sophisticated techniques.

The most effective approach to authentication security requires multiple layers of protection. This includes implementing phishing-resistant MFA technologies, deploying robust technical controls that can detect and respond to suspicious authentication attempts, and fostering a security-aware culture among users.

As attack techniques continue to evolve, security practitioners must remain vigilant, continuously learning about emerging threats and adapting their defense strategies accordingly. Only through this proactive approach can organizations stay ahead of attackers seeking to compromise their critical systems and data.

About the Author
Sevan Sarkhoshian , Senior Technical Security Advisor

Sevan Sarkhoshian is a Senior Technical Security Advisor at Resilience with over 8 years of experience designing, implementing, and managing comprehensive cybersecurity and IT solutions across multifaceted environments. He excels at building robust cybersecurity programs that align with business goals, mitigate risks, and ensure regulatory compliance. Previously, Sevan spent 6 years in various roles, including Senior Security Engineer, Security and Systems Engineer, and IT Support Specialist. He holds a Bachelor’s degree in Finance from California State University, Northridge, and CISSP, CISM, CySA+, Security+, eJPT certifications.

You might also like

What enterprises over $10 billion need to know about managing cyber risk

The role of the Chief Information Security Officer has undergone a profound transformation from a purely technical role to a strategic business one in recent years. For CISOs operating in organizations with over $10 billion in revenue—a segment that Resilience has recently expanded its cyber risk solutions to serve—the shift comes with unique pressures and […]

How to create an effective Incident Response Plan

Cyberattacks are no longer a distant threat—they are a certainty. Whether it’s a ransomware attack, data breach, or insider threat, organizations must be prepared to respond quickly and effectively. Without a solid plan in place, even a minor security incident can spiral into a major crisis, leading to financial losses, reputational damage, and regulatory penalties. […]

Understanding the ClickFix attack

Imagine a cyberattack so simple yet so deceptive that all it takes is three keystrokes to compromise your system. This is the reality of the ClickFix attack, a threat that Resilience threat researchers have observed in the wild since 2024 and that seems to be ramping up in recent weeks. ClickFix cleverly manipulates users into […]

What is the ROC?

The cybersecurity industry thrives on headlines. A major software vulnerability, a ransomware attack, or a widespread outage—each event sends ripples of concern through the digital ecosystem, often accompanied by a rush to assign blame and predict catastrophic consequences.  However, the reality of cyber risk is far more nuanced than these attention-grabbing headlines suggest. The key […]

Quantifying cyber risk for strategic business alignment

In Resilience’s recent webinar, “Quantifying Cyber Risk for Strategic Business Alignment,” (which I hosted along with my colleagues Eric Woelfel, Senior Cybersecurity Engineer, and Erica Leise, Senior Security Engineer) we wanted to tackle a common—and often limiting—mindset in cybersecurity. It’s a mindset I’ve seen again and again in my decade and half building machine learning […]

Ransomware and third-party breaches are driving material cyber losses

Cyber risk isn’t just evolving—it’s accelerating. And for CISOs and CROs, this shift presents a critical challenge: how to make smarter business decisions that strengthen resilience and reduce material losses. As reported in our 2024 Mid-Year Cyber Risk Report, the past year saw a dramatic shift in how businesses experience and respond to cyber threats, […]