Close Menu
    Facebook LinkedIn YouTube Instagram X (Twitter)
    Blue Tech Wave Media
    Facebook LinkedIn YouTube Instagram X (Twitter)
    • Home
    • Leadership Alliance
    • Exclusives
    • Internet Governance
      • Regulation
      • Governance Bodies
      • Emerging Tech
    • IT Infrastructure
      • Networking
      • Cloud
      • Data Centres
    • Company Stories
      • Profiles
      • Startups
      • Tech Titans
      • Partner Content
    • Others
      • Fintech
        • Blockchain
        • Payments
        • Regulation
      • Tech Trends
        • AI
        • AR/VR
        • IoT
      • Video / Podcast
    Blue Tech Wave Media
    Home » Can multi-factor authentication be hacked?
    multi-factor authentication
    multi-factor authentication
    Cloud

    Can multi-factor authentication be hacked?

    By Fiona HuangMay 7, 2024No Comments5 Mins Read
    Share
    Facebook Twitter LinkedIn Pinterest Email
    • Like bitcoin ETFs, Ethereum ETFs offer investors a convenient means of gaining access to a cryptocurrency without having to hold the digital asset directly.
    • Multi-factor authentication can be hacked through four ways: social engineering, spoofed landing page, session hijacking, and SIM swap.
    • You could protect your business from MFA by setting up your MFA with robust policies and using hardware keys.

    Multi-factor authentication (MFA) is the process of a user or device providing two or more different types of proofs of control associated with a specific digital identity, to gain access to the associated permissions, rights, privileges, and memberships. Two-factor authentication (2FA) implies that exactly two proofs are required for a successful authentication, and is a subset of MFA.  

    Understanding how MFA works requires a broader understanding of the concept of authentication. In an identity access management (IAM) framework, authentication factors are security mechanisms used to prove a user is who they claim to be before they’re allowed access to privileged information.

    There are three types of authentication factors:  knowledge factors, possession factors, and inherence factors.

    MFA requires users to prove at least two of these factors to verify their identity.

    How hackers can bypass multi-factor authentication?

    Social engineering

    Social engineering involves tricking a victim into revealing privileged information that can be leveraged in a cyber attack. This attack method is most commonly used when the attacker has already compromised a victim’s username and password and needs to bypass additional authentication factors.

    In this instance, an attacker will pose as “someone from IT” or another trusted user. They will then use this position of trust to manipulate users into sharing important account details. Once the user has given over their details, the attacker can access their account and your corporate network. They might even change that user’s password, meaning that they lose access to the account. 

    These attackers might warn a user that their account has already been hacked, or is at risk of being hacked if they don’t share their details with the “trusted user” who can act to prevent this. Ironically, this leads users to give the hacker everything they need to bypass their MFA and infiltrate their corporate network.

    Spoofed landing page

    A spoofed landing page is a fraudulent site that is designed to look like a reputable, trusted site that you already know and use. It could be LinkedIn, Facebook, Gmail, or another popular site. When you attempt to log in on this site, your access will be denied, and your account details will be stored by the malicious actors. The malicious actor can then use the details that you have provided to bypass the MFA security on the genuine website or account.

    Also read: AI: The opportunities and the threats

    Session hijacking 

    Session hijacking (or cookie stealing) occurs when a cybercriminal compromises a user’s login session through a man-in-the-middle attack. Session cookies play an important role in UX on web services.

    When a user logs into an online account, the session cookie contains the user’s authentication credentials and tracks their session activity. The cookie remains active until the user ends the session by logging out.

    Session hijacking is possible when a web server doesn’t flag session cookies as secure. If users don’t send cookies back to the server over HTTPS, attackers can steal the cookie and hijack the session, bypassing MFA.

    SIM swap

    One-time passcodes (OTPs) are a common way of verifying identity by MFA solutions. This is usually a six- or eight-digit code sent to you via SMS. By entering the code, you verify that you have the cell phone that is linked to the named user, which suggests that your identity is authentic. 

    Hackers can, however, contact your mobile provider and convince them to perform a SIM swap. This will result in the messages intended for the user, being redirected to the hacker. They can then access your account using the verification code that was intended for you. It takes a degree of social engineering to persuade the mobile carrier to change the SIM; the hackers will also have to know the rest of your account details before attempting this method. They could obtain these details on the dark web, using a database of credentials harvested during a previous data breach, or by using a spoofed landing page.

    Also read: What is Perplexity AI?

    How can you protect your business from MFA hacking?

    MFA set up

    By setting up your MFA with robust policies, you can increase the strength of protection guarding your users’ accounts. Biometric factors – like fingerprint sensors, faceID, and typing analysis – are the hardest factors to impersonate and will therefore make it much harder for hackers to infiltrate your accounts. Incorporating contextual and behavioural analysis can also help to prevent unwanted intrusion. This logs factors such as a user’s usual location and login times. Any logins that do not fit with the pattern of expected behaviour will be flagged as suspicious and stopped. 

    Hardware authentication keys

    Hardware keys, particularly ones that utilise FIDO 2 principles, are some of the most secure identification methods. It is very difficult for a hacker to gain access to the information, and the physical hardware that is required for this type of attack. Hardware keys are often designed to be tamper-proof to ensure your account is kept safe. FIDO 2 is a passwordless standard that is easy to use, and very secure. It uses public-key cryptography, which makes it virtually impossible for a hacker to find a way to access your account.

    You may be wondering why MFA is even necessary after reading this article considering how easily it can be compromised. It is accurate to say that no cybersecurity solution can ensure complete impenetrability. Hackers are always looking for openings in systems and methods to gain access to private information. On the other hand, an account with MFA will be far more difficult to hack than one without.

    hacker multi-factor authentication
    Fiona Huang

    Fiona Huang, an intern reporter at BTW media dedicated in Fintech. She graduated from University of Southampton. Send tips to f.huang@btw.media.

    Related Posts

    Ericsson returns to profit as licensing savings lift margins

    July 16, 2025

    UK mobile boost could unlock $299B

    July 16, 2025

    Vodafone launches ‘Fix & Go’ in-store repair service

    July 16, 2025
    Add A Comment
    Leave A Reply Cancel Reply

    CATEGORIES
    Archives
    • July 2025
    • June 2025
    • May 2025
    • April 2025
    • March 2025
    • February 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • September 2024
    • August 2024
    • July 2024
    • June 2024
    • May 2024
    • April 2024
    • March 2024
    • February 2024
    • January 2024
    • December 2023
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • July 2023

    Blue Tech Wave (BTW.Media) is a future-facing tech media brand delivering sharp insights, trendspotting, and bold storytelling across digital, social, and video. We translate complexity into clarity—so you’re always ahead of the curve.

    BTW
    • About BTW
    • Contact Us
    • Join Our Team
    TERMS
    • Privacy Policy
    • Cookie Policy
    • Terms of Use
    Facebook X (Twitter) Instagram YouTube LinkedIn

    Type above and press Enter to search. Press Esc to cancel.