Something you know (password, PIN) is the weakest factor because passwords are reused, guessed, or stolen; combining with other factors is essential
What is multi-factor authentication
Multi-factor authentication (MFA) is a security control that requires users to provide two or more independent verification factors before granting access. Factors fall into categories: something you know (password, PIN), something you have (hardware token, smartphone), something you are (biometric fingerprint, facial recognition), or somewhere you are (location-based). MFA significantly reduces the risk of credential theft because attackers need more than just a password to gain access.
Why it matters
Passwords alone are insufficient—they are reused, weak, stolen in breaches, and vulnerable to phishing. MFA is the single most effective control against credential-based attacks. According to Microsoft, MFA blocks 99.9% of account compromise attacks. For CISOs, mandatory MFA on critical systems (email, VPN, cloud applications, administrative access) is non-negotiable. MFA reduces the impact of phishing: a user who enters their password into a phishing page will not grant access to their actual account because the attacker still lacks the second factor. However, modern attacks target MFA itself through real-time phishing proxies (which relay authentication requests in real time) and social engineering to convince users to approve MFA prompts. Effective MFA implementation requires choosing strong factors (hardware tokens and biometrics are stronger than SMS), enforcing MFA universally (not just for high-risk users), and combining MFA with other controls like conditional access policies and anomaly detection.
Key points
Something you have (hardware tokens, smartphone) is stronger because theft requires physical access; smart cards and hardware keys (FIDO2) are more secure than SMS or software apps
Biometric factors (fingerprint, facial recognition) are difficult to phish but require devices with biometric hardware; they work well for mobile authentication but not for remote access
Time-based one-time passwords (TOTP) from authenticator apps are resistant to phishing unlike SMS-based OTP which is vulnerable to SIM swapping and interception
Real-time phishing proxies can relay MFA prompts to legitimate authenticators, bypassing MFA by tricking users; credential-stuffing attacks then use the captured session tokens
MFA protecting against credential theft
A user receives a phishing email claiming to be from their email provider. The email asks them to verify their account and includes a link to a credential harvesting page. The user enters their username and password, and the attacker captures the credentials. Without MFA, the attacker logs in immediately. With MFA, the login attempt triggers an MFA challenge on the user's phone (push notification or TOTP code). The user does not approve the push notification or provide the code to the attacker. The login fails. The attacker's stolen credentials are useless without the second factor. In another scenario, an attacker uses a credential-stealing phishing proxy that relays authentication in real time. The user enters their password; the proxy forwards it to the real server. The server sends an MFA challenge to the user's phone. The user, seeing a legitimate push notification, approves it. The attacker's proxy intercepts the session token and gains access. This highlights why MFA choice matters: push notifications are vulnerable to user confusion and time-based attacks; hardware keys that verify the website domain are stronger.
Common mistakes
- Implementing weak MFA factors: SMS OTP is vulnerable to SIM swapping and interception; TOTP authenticator apps and hardware keys are more secure
- Allowing MFA bypass for convenience: some organizations disable MFA for certain access paths (internal networks) or users (administrators), eliminating its benefits
- Not combining MFA with conditional access: MFA is most effective when combined with policies that require additional authentication for risky access (unusual locations, impossible travel, unusual times)
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
What is the most secure form of MFA?
Hardware keys using the FIDO2 standard are the most secure form of MFA. They use public-key cryptography to verify the legitimacy of the website and resist phishing, SIM swapping, and interception attacks. FIDO2 keys (like YubiKeys) are resistant to real-time phishing proxies because they verify the domain they're authenticating to. Biometric factors (fingerprint, face) are also strong but depend on device hardware. SMS OTP is the weakest; it's vulnerable to SIM swapping and network interception. TOTP (time-based one-time passwords from authenticator apps) is stronger than SMS but still vulnerable to social engineering and credential-stealing proxies.
Can real-time phishing proxies bypass MFA?
Real-time phishing proxies can bypass traditional MFA (SMS, TOTP, push notifications) by relaying authentication requests in real time to the legitimate server and capturing session tokens. The attacker creates a proxy website that looks like the real site, intercepts the user's login credentials, forwards them to the real server in real time, and relays the MFA challenge back to the user. When the user approves the MFA prompt, the attacker's proxy captures the resulting session token. This attack chain requires sophisticated setup but is increasingly common against high-value targets. Defense requires using FIDO2 hardware keys (which verify domain) combined with security awareness training so users don't enter credentials on unexpected login pages.
Should we enforce MFA for all users or just administrators?
Enforce MFA for all users, not just administrators. Attackers target regular users because MFA adoption is lower there; a compromised user account can be used for lateral movement, data theft, or malware distribution. Microsoft data shows that accounts without MFA are compromised 300x more frequently than those with MFA. Compliance frameworks (SOC 2, ISO 27001, NIS2) increasingly require MFA for all user access, not just administrative access. The exception is critical systems: administrative access, email, VPN, and cloud platforms should have stronger MFA requirements or additional controls (hardware keys, anomaly detection).
How do we handle MFA fatigue attacks?
MFA fatigue attacks exploit users by sending repeated MFA push notifications, overwhelming them into approving one. Defense includes: limiting the number of MFA challenges per user per hour, implementing time-window restrictions (MFA challenges older than 1 minute expire), educating users never to approve unexpected MFA prompts, and using hardware keys or TOTP instead of push notifications. Some organizations add friction by requiring users to type a number from the suspicious login attempt on their phone, confirming they're not blindly approving prompts. Conditional access policies that flag impossible-travel scenarios can prevent the initial suspicious login attempt, avoiding the fatigue attack entirely.