You are on the Cert-IST public site
Attacks on MFA

Date :September 08, 2022

As the use of MFA (Multi-Factors Authentification) becomes more widespread to strengthen access security, attackers are also making progress in this area and develop attacks against some of these MFA systems. In the summer of 2022, two attacks were reported:

  • OKTA users were targeted by a large phishing campaign (via SMS inviting them to log into their OKTA account) that affected sites such as Twilio, Cloudflare, Klaviyo MailChimp and Doordash. We have written an article on this subject.
  • An Uber employee was targeted by an attack called "MFA fatigue": his phone was flooded with MFA notification messages and he ended up accepting one of them, which granted access for the hacker.

We published an article in 2018 about "SIM swap" attacks that targeted MFA via SMS at that time. Today, here is a more comprehensive list of known attack techniques against MFA systems.


The different MFA techniques:

Here are the 4 MFA techniques currently in use.

1: MFA with SMS: A secret code is sent by text message (aka SMS) to user’s phone when he/she connects.

2: MFA with an "Authenticator" application: A secret code is generated every 30 seconds by an application installed on the user's phone. These applications (such as Google Authenticator, Authy, Duo or Microsoft Authenticator) use a T-OTP algorithm to generate this secret code.

3: MFA with "Push notification": A popup window appears on the user's phone when he/she connects to the site. The user must confirm via this popup that he/she authorises this access.

4: MFA with a FIDO2 key: A cryptographic algorithm is used to perform authentication following the FIDO2 protocol. This type of algorithm is implemented for example by Ubikey hardware keys.

Whatever the MFA technique used, to avoid asking for full authentication at each connection, an authentication cookie mechanism is often also implemented: if the user has a valid (not expired) cookie, he is logged-in without any further authentication (and there is therefore no MFA): this is the "remember me" function which is present on many sites.


Known attacks

Following are the known attacks techniques.

SIM swap (targets MFA 1): The attacker impersonate the victim and calls the victim's phone operator to get a new SIM card. With this SIM, the attacker now receives the SMS messages sent by the MFA system. The attack is rather complex (the operator has to be convinced) and is used for high-value targets, for example to steal the victim's crypto-currency wallet.

MFA phishing (targets MFA 1 and 2): The attacker lures the victim to a fake site that will relay to the real site, the data exchanged during the connection, including the MFA code. This is a MiTM (Man in the Middle) attack. It works for SMS or Authenticator MFAs. There are tools to implement this attack (such as the paid service EvilProxy, or the open-source project evilgophish).

Authentication cookie theft (targets MFA 1, 2, 3 and 4): If a malware (such as an InfoStealer) has infected the victim's computer, then it can steal the authentication cookies and if they have not expired, log in without authentication (and therefore without MFA). This type of attack seems to be gaining in popularity since the beginning of 2022, probably due to illegal BotShop services like Genesis (discussed in our May 2022 article) that sell the data stolen by InfoStealers.

MFA fatigue (targets MFA 3): This is the most recently documented attack technique, which we describe at the beginning of this article for the attack against Uber. It is likely to become quickly obsolete as push notification popups are improved (e.g. by including a user-activated "Mute" function that blocks these popups for a set period of time, such as half an hour).



Despite being under attack, MFA mechanisms are still an important advance in authentication security and efforts to deploy them should continue. For hackers, they have become a common pitfall they have to deal with when attacking well-defended targets. It is therefore logical to see bypass attempts and attacks against MFAs.


For more information