paint-brush
How Hackers Bypass Multifactor Authenticationby@zacamos
2,787 reads
2,787 reads

How Hackers Bypass Multifactor Authentication

by Zac AmosMay 12th, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Multifactor authentication is strong but can still be bypassed. Hackers use phishing, MFA fatigue, SIM jacking, session hijacking, and even brute force to bypass MFA. To protect against these threats, be sure to choose the right kind of MFA, use time-based OTPs, restrict and monitor login attempts, and train against social engineering.
featured image - How Hackers Bypass Multifactor Authentication
Zac Amos HackerNoon profile picture

Multifactor authentication (MFA) is one of the most popular and effective cybersecurity measures in use today. However, as strong as these defenses are, they’re not perfect. Hackers can bypass MFA in several ways, so it’s important to recognize these weaknesses to protect against them.

5 Ways Hackers Bypass MFA

Some security experts claim MFA can stop 80%-90% of cyberattacks, but that may make users feel more secure than they really are. Even if that figure’s accurate, 10% leaves much room when considering cybercrime's sheer scale. Here are some ways cybercriminals can get past MFA.

1. Phishing

Unsurprisingly, phishing is one of the most popular ways to get around MFA. As the most successful hacking technique, phishing is a relatively easy and effective way to obtain sensitive information, including authenticators people use.


Cybercriminals can trick users into giving away their verification emails and other credentials in the same way phishing gets them to reveal passwords. In other cases, hackers set up fake websites or proxy servers that look like legitimate login pages. Users unknowingly show cybercriminals all that information when they enter their details — including their MFA codes.

2. MFA Fatigue

MFA fatigue is another common method. These attacks target MFA systems using push notifications. Criminals will try to log in several times in a short period, bombarding the user with messages asking them to verify the login attempt. Eventually, administrators will accidentally hit the authentication button or allow it out of frustration.


People make mistakes and get frustrated easily, so if cybercriminals send enough requests in a short enough time frame, they’ll likely succeed. This combination of simplicity and effectiveness is why Microsoft saw more than 40,000 MFA fatigue attacks in August 2022.

3. SIM Jacking or Swapping

Many MFA systems use SMS verification, and hackers can bypass MFA by accessing the user’s mobile device. There are two main methods for this: SIM jacking and SIM swapping.


In SIM jacking, cybercriminals install spyware on a target’s phone, often delivering it through a malicious text message. They can then watch the user punch in their MFA details when they log into an account. SIM swapping involves contacting the target’s mobile providers to impersonate the user and get them to send them a new SIM card, which the hackers can use to get SMS verification messages.

4. Session Hijacking

Session hijacking is a less common but still effective technique. In these attacks, cybercriminals intercept a user’s internet activity through a man-in-the-middle attack. Once they’ve taken advantage of an unsecured connection, they can steal the session cookies.


Session cookies temporarily store activity — including any MFA credentials people enter — as long as the user is logged in. Once they close the browser, these cookies automatically erase themselves, but if hackers intercept them before the session ends, that doesn’t matter. The criminals will get all the information they need.

5. Brute Force

Hackers can also brute force their way through some MFA systems. MFA makes most of these attacks less effective because even if a cybercriminal cracks a user’s password, they’d need another verification step to get in. However, they can also brute force the verification code.


Some MFA systems send users a four-digit PIN to verify their identity. Today’s password-cracking tools can break a four-digit code instantly, even if it uses a combination of numbers and letters. Consequently, if an MFA system relies on one-time passwords (OTPs), especially short ones, it’s vulnerable to brute forcing.

How to Protect Against These Threats

Thankfully, there are ways to make MFA systems stronger. Once businesses know how hackers can bypass MFA solutions, they can take steps to protect against these attacks.

Use the Right Kind of MFA

One of the most important steps is to use a stronger verification method. SIM-based OTPs and push notifications are vulnerable to SIM jacking and MFA fatigue, so they’re not ideal. Biometrics, location-based verification and techniques that combine several factors are more secure.


Hardware-based MFA is one of the most secure options. These use a combination of PINs and a physical device that plugs into a USB port, and users need both the PIN and card to verify their identity. It’s doubtful that a hacker could access both, so this strategy is ideal for sensitive applications.

Use Time-Based OTPs

It’s also a good idea to put time limits on OTPs. Some MFA systems only accept OTPs within 30 to 90 seconds, and any attempts after that need a new code. Using time restrictions like this leaves hackers with a much smaller window to perform brute-force attacks or use information gained through phishing.


Remember that time-based OTPs still aren’t perfect. Hackers that are quick enough can work around them. However, they make it much harder, so it’s best to enable these restrictions if available.

Restrict and Monitor Login Attempts

Businesses can restrict MFA attempts in other ways, too. Some use location data to check if users are in a place they normally access their accounts, like their home or work. Anything outside of these regular locations triggers further verification steps.


Users should also have a limited number of login attempts. Only letting people try two or three times before locking the account will prevent brute-force and MFA fatigue attacks. Organizations should monitor these attempts to find suspicious activity and send alerts if necessary.

Train Against Social Engineering

Anti-phishing training is another important step in preventing MFA bypasses. A whopping 82% of data breaches result from human error, so social engineering is one of the biggest threats to MFA. However, if employees can spot these attempts, they’re not as threatening.


All workers should receive thorough and regular training on phishing techniques and how to spot them. The more aware insiders are, the less likely they will fall for these attacks.

Multifactor Authentication Is Important but Incomplete

MFA is a crucial security step, especially considering how common poor password management is. However, it’s not sufficient by itself.


Hackers can still get around MFA, so businesses must consider improving their other access controls to minimize the chances of a breach. These steps will bolster MFA’s protection, ensuring only verified insiders can access sensitive information.