Multi-factor authentication suffers from three major weaknesses

 A padlock resting on a keyboard.
A padlock resting on a keyboard.

“Multi-Factor Authentication stops 99% of all attacks.” It’s a phrase we hear a lot.

However, while MFA has become the go-to cybersecurity solution deployed by businesses globally, we must recognize that not all MFA solutions are created equal. Many are as easy to hack with social engineering and phishing as traditional passwords. So, the claim that almost all attacks can be repelled by MFA is an oversimplification at best and insincere at worst.

This raises an important question: if so many MFA solutions are ineffective at fending off commonplace cyber threats (such as phishing attacks, which account for more than 80% of cyber-attacks), why do businesses still rely upon them?

One plausible answer is that business software packages – think Google Workspace or Microsoft 365 – come with in-built two-factor authentication. Businesses may, therefore, think that investing in another solution is an unnecessary additional expense.

Another factor is that many cyber insurers now demand that organizations adopt MFA in the underwriting stage of the insurance process. It could be the case, then, that IT decision-makers treat MFA as a check-the-box exercise in order to comply with insurers’ requirements. And they do so without carefully considering the difference between good MFA and bad MFA.

Whatever the reason, it is clear that many organizations are adopting MFA without scrutinizing the effectiveness of their chosen solution and which attacks it actually prevents.

So, it is important we take a step back and understand some of the inherent weaknesses of your typical MFA solution.

1. Second factor authenticators are still vulnerable to attack

The basis of most MFA solutions is that, even if someone manages to get hold of a user’s password, they still need to bypass the second piece of the puzzle – such as an SMS code, One Time Password (OTP) or approving a push notification – in order to access the account.

At face value, this seems quite secure. However, the very nature of these second layers of authentication can do more harm than good, paradoxically providing hackers with further opportunities for attack. It’s a double-edged sword that many businesses fail to fully grasp when choosing their security solutions.

Indeed, OTPs can be exploited by ‘on the fly’ phishing attacks that put a business’ sensitive information at risk; SMS authenticators are prone to ‘smishing’; and many criminals can now hijack authenticating notifications directly from the source. Meanwhile, the ‘human element’ is employed by hackers to defeat push notifications via prompt bombing.

The apparent protection of additional layers of security, therefore, could be blinding decision-makers to the inherent dangerous vulnerabilities, prompting the need for tech and cyber decision-makers to re-evaluate the true efficacy of these widely adopted security measures.

2. All MFAs including passkeys can be bypassed

The main issue here – and it’s pretty mind-boggling – is that all MFA solutions can be circumvented by hackers to gain access without needing to provide any authentication factors. There are two main causes: session cookies and centralization.

A session cookie is a piece of information stored in the user’s device browser after authentication. This allows the user to access the required resource without needing to re-authenticate on every interaction with the service provider. Therefore, anyone with access to the session cookies can infiltrate the user account without being required to authenticate.

Hackers use this tactic in what is known as an Adversary-in-the-Middle (AiTM) attack, capturing authenticated session cookies from users at the point of authentication. With the session cookies, hackers can access a user’s account without the need for password authentication, rendering the MFA solution useless. A recent example is the Okta breach, where session cookies were stolen from Okta’s customer support management system to compromise many of their customers, including 1Password and Cloudflare.

These attacks can be prevented with the use of phish-resistant MFA such as a passkey. But the plot thickens…

Passkeys are designed to synchronize to all user devices so that the user can use it to login from any of their devices. However, they are still vulnerable due to their reliance on centralization.

Although passkeys rely on public key cryptography, their dependence on the platform’s security (the security provided by Google, Apple, Microsoft and so forth) means that a business’s security is equivalent to that of a user’s Google or Apple account credentials. This is because almost all user accounts depend on a password and a vulnerable second factor authenticator, so they can be phished or circumvented using AiTM. As a result, passkeys can also be bypassed, and cannot provide meaningful security to businesses.

To adapt the old cliché, a cybersecurity solution is only as strong as its weakest link. User credentials are often that weak link.

3. Some MFA solutions are phish-resistant, but not phish-proof

To date, the highest level of security has typically come from “phish-resistant” MFA. Some MFA solutions can accurately claim to be ‘phish-resistant’, but they are not ‘phish-proof’ because they still rely on phishable factors at some point in their implementation or recovery lifecycle.

This is a critical shortcoming of many MFA solutions and a particularly pertinent issue in the UK. Research has found that 83% of British organizations experienced a phishing attack last year, which reportedly cost an average loss of £245,000 per business per attack.

This weakness basically means that a user’s account might be secure once the solution has been implemented. But the process of adding a new user, adding a new device to an account or recovering an account if the registered device is lost or damaged can be exploited using phishing techniques.

For instance, let’s say that ‘Barry from accounts’ doesn’t have the device he registered his passkey on or lost his FIDO2 security key. Phish-resistant MFAs fall back to phishable factors such as SMS, OTP or push notifications to enable Barry to recover his account.

Or Barry does not realize that the same phishable factors such as SMS, OTP, push or passwords were used by someone else to add another FIDO2 security key to his account without his knowledge.

More must be done to raise awareness of the difference between phish-resistant and phish-proof. Precious few MFA solutions can truly claim to be phish proof. Truly phish proof, MFA solutions are able to eliminate breaches like AiTM, because they secure the entire user identity life cycle – with these solutions, registration, identity proofing, authenticators establishment, authentication, recovery-identification, and account termination are immune to even sophisticated phishing attacks.

This means that attackers are prevented from bypassing authentication, intercepting and/or tricking users into revealing access credentials by the fact that they simply don’t exist in that solution's authentication lifecycle. What’s more, phish-proof solutions ensure the chain of trust established at the stage of user identity proofing is transitive, so it cannot be broken and is provable at every stage of the identity lifecycle.

The next generation of MFA

This may seem like a scathing attack on MFA. Fortunately, though, as noted at the start, not all MFA is created equal. Better solutions are out there.

The next generation of MFA solutions addresses the weaknesses outlined above. They do this by eliminating the vulnerabilities and phishable factors that leave businesses’ IT systems open to attack.

The key innovation of this new wave of technology is that they move beyond the reliance on passwords. Instead, these solutions embrace cutting-edge, Zero Trust Architecture (ZTA) technology rooted in principles like transitive trust, identity proofing and the adoption of W3C Web Authentication Standard, which tackle the core issues behind data breaches and remove the threat of human error.

By implementing technology from this new wave of MFA, businesses can make their cyber security systems immune to both external and internal threats and guarantee robust authentication through the entire identity lifecycle.

It’s time to recognize that basic MFA solutions that rely on OTPs, push, and QR-code are relics of the past. They suffer from the same inherent flaws that have plagued password-based cybersecurity technology for decades – namely, they cannot prevent all credential phishing and password-based attacks. Slowly but surely, the industry is recognizing that zero trust paves the way to a more secure and efficient future.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: